Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Client certificate validation
Options
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
(Computer) client certificate validation
Hi,
I have a working SSLVPN solution where I use client validation to check for a computer certificate from our internal PKI on the client. Domain computers get a certificate using autoenrollment policies and the root certificate is stored on the Fortigate. By enabling users to select the computer certificate in FortiClient during login, they can select the right certificate, which can be validated by Fortigate. So far so good...
The problem is, any certificate/key pair on the client, with a matching root on the Fortigate passes certificate validation. Since we use Lets Encrypt certificates, I uploaded the root of LE onto the Fortigate. If I install any valid LE certificate on the client, this certificate is also accepted.
Fortigate accepts any valid certificate for which it has a root certificate installed.
Is there a way to limit validation to specific root certificate(s)? Or perhaps check on specific certificate details?
Using only Fortigate, no other Fortinet products.
User authentication is done entirely on a remote Radius server, so no local/ldap/radius users defined.
FortiOS 6.0.5, FortiClient 6.0.8
Thx,
Michel
Solved! Go to Solution.
Labels:
- Labels:
-
6.0
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Just got word from support again. The gave me this link: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47120.
Although I find the example config a bit confusing, it seems like what I want to accomplish might be possible... but only from FortiOS 6.2.2+. We are still on 6.0.5.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Here's what I'm talking about in auth-rule
config vpn ssl settings set reqclientcert enable set ssl-min-proto-ver tls1-1 set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_POOL_1" set port 8443 config authentication-rule edit 1 set source-interface "wan1" set source-address "all" set users "user1" set portal "full-access" set client-cert enable set user-peer "socpuppets" next end end
The set user-peer is your CA with or without the subject
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hey, I just wanted to say I test it by only using the CA and no cn or subject string so it worked What I did was use the web-acecs and firefox and called up a inferior certificate that did NOT match the "config user peer"
So if you are issuing certificates from a privateCA, just 1> import the ca into the firewall 2> sign all users with that CA >3 and set a "config user peer" and finally use that peer in the auth-rule.
It should work and lock down the sslvpn. If the client presents no certificate or a certficate that is not signed by the CA you defined , the ssl will reject that connect. You will see this on a "diag debug application sslvpnd -1"
e.g
[23346:root:3b]rmt_web_auth_info_parser_common:470 no session id in auth info [23346:root:3b]rmt_web_access_check:723 access failed, uri=[/remote/logincheck],ret=4103, [23346:root:3b]User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0 [23346:root:3b]rmt_logincheck_cb_handler:1189 user 'user1' has a matched local entry. [23346:root:3b]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy. [23346:root:3b]sslvpn_auth_check_usrgroup:2145 got user (1) group (0:0). [23346:root:3b]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (1), realm (). [23346:root:3b]sslvpn_validate_user_group_list:1690 checking rule 1 cipher. [23346:root:3b]sslvpn_validate_user_group_list:1698 checking rule 1 realm. [23346:root:3b]sslvpn_validate_user_group_list:1709 checking rule 1 source intf. [23346:root:3b]sslvpn_validate_user_group_list:1730 checking rule 1 source address. [23346:root:3b]sslvpn_validate_user_group_list:1845 rule 1 done, got user (1:1) group (0:0) peer group (0). [23346:root:3b]sslvpn_validate_user_group_list:1963 got user (1:1), group (0:0) peer group (0). [23346:root:3b]fam_cert_send_req:808 do certificate peer check first(2). [23346:root:3b]doing certificate checking for 1 peer(s). [23346:root:3b]sslvpn_update_user_group_list:1579 Remove user(s) which has set user-peer (1). [23346:root:3b]sslvpn_update_user_group_list:1595 got user (0:0), group (0:0), peer group (0) after update. [23346:root:3b]__auth_cert_cb:939 no valid user/group candidate found.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Magion,
I did something like this in my lab. All the users are Active Directory users:
config user peer edit "peer1" set ca "home_lab" set subject ".hydra.local" next end
In plain english, this is "certificate must belong to the home_lab CA and it's subject must have .hydra.local". The latter is the FQDN matching trick I told you.
Next I created a realm "portal1" and did this:
config user ldap edit "DC" set server "dc.home.lab" set cnid "userPrincipalName" set dn "dc=home,dc=lab" set type regular set username "HOME\\fortigateLDAP" set password [removed] next end
config user group edit "vpn" set member "DC" config match edit 1 set server-name "DC" set group-name "CN=VPN,OU=User Accounts,DC=home,DC=lab" next end next end
config vpn ssl settings config authentication-rule edit 1 set groups "vpn" set portal "full-access" set realm "portal1" set client-cert enable set user-peer "peer1" next end end
The test were:
[ul]Hope this helps
Max
39 REPLIES 39
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I now understand that I do not "config user peer" but only selected "require user certificate"
I think I need to do like in this article https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-cert... but change according to kb
# config user peer edit user1 set ca "CA_1" set subject "OU = your_org" next end
and now any certificate of my CA with "OU = your_org" will be accepted.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I configured this. It is works when unchecked "Limit Users to One SSL-VPN Connection at a Time", because all users now are "certificate cn"(all users use one certificate) . And in VPN-Events all users same.
Revert all back.
like Magion said:
"I was hoping for something easy like: config vpn ssl settings set reqclientcert enable set ca 'my root ca' end
"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Yes play around with the config user peer. You can set the string or "cn" and even do a peergroup if you so desire.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I now understand that I do not "config user peer" but only selected "require user certificate"
and now any certificate of my ou will be accepted.
I think I need to do like in this article https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-cert... but change according to kb # config user peer edit user1 set ca "CA_1" set subject "OU = your_org" next end
and now any certificate of my CA with "OU = your_org" will be accepted.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I now understand that I do not "config user peer" but only selected "require user certificate"
and now any certificate of my ou will be accepted.
I think I need to do like in this article https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-cert... but change according to kb # config user peer edit user1 set ca "CA_1" set subject "OU = your_org" next end
and now any certificate of my CA with "OU = your_org" will be accepted.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
tanr wrote:Did they give a bug number? There was a similar issue with 5.6 FortiGates just accepting the certs based on their root ca instead of actually checking the details.
From support:
Unfortunately, there is an internal ticket 574949, which is a security concern that once you enable require client certificate, you will allow all users signed by certificates that are trusted by the FortiGate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Lot's of posts (but did not get any notifications 
). Will read them more closely on Monday, some of it looked very interesting.
Just like to mention that I do not use local users. All authentication is done remotely on a radius server, and all I did was add the radius server as a remote group to a local firewall group.
If I understand support and the article I linked to correctly, it's possible to 'attach' a root certificate to all remote radius users by creating 1 peer user and add this to the firewall group next to the remote group.
But, since I only have a live production FortiGate top work with, I need to be careful of any tests I like to do. Especially now, since everybody is working from home and depend on the VPN (which by the way has been very stable so far) 
Michel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Magion, did TAC specify if 574949 was fixed in any later versions?
It sounds like they managed to "unfix" the old bug I was referring to, 412987.
When a serious bug like this or that is fixed, standard practice is to add a simple regression test to make sure it doesn't happen again. It sounds like that wasn't done.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
tanr wrote:
Magion, did TAC specify if 574949 was fixed in any later versions?
No, and I did not ask about it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Magion,
I had a similar problem days ago, but with an internal CA. I wanted to use computer certificates but not user certificates.
First, the user have to be administrator or at least have permissions to access the computer certificate private key. If not, the certificate will be available in FortiClient but wont work.
Second, in user->pki I used subject filterning to match part of the FQDN. I.E.: my lab environment had hydra.local as the domain, so the subject filter was ".hydra.local" (note the dot at the start, it will match computer.hydra.local but not user@hydra.local).
That being said: if your certificates have something in common -or could have-, you can use subject filtering.
Max
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- ForticlientVPN - Permission denied (-455) 240 Views
- certificate for FGFM protocol - Error... 330 Views
- Forticlient VPN client on Windows and... 300 Views
- FortAP and EAP-TLS Authentication, failing at... 174 Views
- SSL VPN Connection Error with LDAP 445 Views
Labels
-
FortiGate
8,382 -
FortiClient
1,694 -
5.2
801 -
FortiManager
709 -
5.4
639 -
FortiAnalyzer
538 -
FortiSwitch
454 -
FortiAP
450 -
6.0
416 -
FortiClient EMS
397 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
195 -
IPsec
179 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
52 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
Authentication
30 -
NAT
30 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1640 | |
| 1066 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.