Hi,
I have a working SSLVPN solution where I use client validation to check for a computer certificate from our internal PKI on the client. Domain computers get a certificate using autoenrollment policies and the root certificate is stored on the Fortigate. By enabling users to select the computer certificate in FortiClient during login, they can select the right certificate, which can be validated by Fortigate. So far so good...
The problem is, any certificate/key pair on the client, with a matching root on the Fortigate passes certificate validation. Since we use Lets Encrypt certificates, I uploaded the root of LE onto the Fortigate. If I install any valid LE certificate on the client, this certificate is also accepted.
Fortigate accepts any valid certificate for which it has a root certificate installed.
Is there a way to limit validation to specific root certificate(s)? Or perhaps check on specific certificate details?
Using only Fortigate, no other Fortinet products.
User authentication is done entirely on a remote Radius server, so no local/ldap/radius users defined.
FortiOS 6.0.5, FortiClient 6.0.8
Thx,
Michel
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Just got word from support again. The gave me this link: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47120.
Although I find the example config a bit confusing, it seems like what I want to accomplish might be possible... but only from FortiOS 6.2.2+. We are still on 6.0.5.
Here's what I'm talking about in auth-rule
config vpn ssl settings set reqclientcert enable set ssl-min-proto-ver tls1-1 set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_POOL_1" set port 8443 config authentication-rule edit 1 set source-interface "wan1" set source-address "all" set users "user1" set portal "full-access" set client-cert enable set user-peer "socpuppets" next end end
The set user-peer is your CA with or without the subject
PCNSE
NSE
StrongSwan
Hey, I just wanted to say I test it by only using the CA and no cn or subject string so it worked What I did was use the web-acecs and firefox and called up a inferior certificate that did NOT match the "config user peer"
So if you are issuing certificates from a privateCA, just 1> import the ca into the firewall 2> sign all users with that CA >3 and set a "config user peer" and finally use that peer in the auth-rule.
It should work and lock down the sslvpn. If the client presents no certificate or a certficate that is not signed by the CA you defined , the ssl will reject that connect. You will see this on a "diag debug application sslvpnd -1"
e.g
[23346:root:3b]rmt_web_auth_info_parser_common:470 no session id in auth info [23346:root:3b]rmt_web_access_check:723 access failed, uri=[/remote/logincheck],ret=4103, [23346:root:3b]User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0 [23346:root:3b]rmt_logincheck_cb_handler:1189 user 'user1' has a matched local entry. [23346:root:3b]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy. [23346:root:3b]sslvpn_auth_check_usrgroup:2145 got user (1) group (0:0). [23346:root:3b]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (1), realm (). [23346:root:3b]sslvpn_validate_user_group_list:1690 checking rule 1 cipher. [23346:root:3b]sslvpn_validate_user_group_list:1698 checking rule 1 realm. [23346:root:3b]sslvpn_validate_user_group_list:1709 checking rule 1 source intf. [23346:root:3b]sslvpn_validate_user_group_list:1730 checking rule 1 source address. [23346:root:3b]sslvpn_validate_user_group_list:1845 rule 1 done, got user (1:1) group (0:0) peer group (0). [23346:root:3b]sslvpn_validate_user_group_list:1963 got user (1:1), group (0:0) peer group (0). [23346:root:3b]fam_cert_send_req:808 do certificate peer check first(2). [23346:root:3b]doing certificate checking for 1 peer(s). [23346:root:3b]sslvpn_update_user_group_list:1579 Remove user(s) which has set user-peer (1). [23346:root:3b]sslvpn_update_user_group_list:1595 got user (0:0), group (0:0), peer group (0) after update. [23346:root:3b]__auth_cert_cb:939 no valid user/group candidate found.
PCNSE
NSE
StrongSwan
Magion,
I did something like this in my lab. All the users are Active Directory users:
config user peer edit "peer1" set ca "home_lab" set subject ".hydra.local" next end
In plain english, this is "certificate must belong to the home_lab CA and it's subject must have .hydra.local". The latter is the FQDN matching trick I told you.
Next I created a realm "portal1" and did this:
config user ldap edit "DC" set server "dc.home.lab" set cnid "userPrincipalName" set dn "dc=home,dc=lab" set type regular set username "HOME\\fortigateLDAP" set password [removed] next end
config user group edit "vpn" set member "DC" config match edit 1 set server-name "DC" set group-name "CN=VPN,OU=User Accounts,DC=home,DC=lab" next end next end
config vpn ssl settings config authentication-rule edit 1 set groups "vpn" set portal "full-access" set realm "portal1" set client-cert enable set user-peer "peer1" next end end
The test were:
[ul]Hope this helps
Max
emnoc wrote:
OP can you post your config and th "config user peer" ?
No, because I don't have any users defined on the firewall. No regular, no peer. So I can't show you anything
Just as Kojot, I only have "require user certificate" set.
mkolus wrote:
First, the user have to be administrator or at least have permissions to access the computer certificate private key. If not, the certificate will be available in FortiClient but wont work.
This is what I found: https://kb.fortinet.com/k....do?externalID=FD47826
I did not change anything for #1. ACL is set to only system and administrators to access the private key. I have allow_standard_user_use_system_cert set in the client config according to #3.
Then at #2 it says that if the certificate is visible in the selection box (which it is), all should be well...
mkolus wrote:
in user->pki I used subject filterning to match part of the FQDN. I.E.: my lab environment had hydra.local as the domain, so the subject filter was ".hydra.local" (note the dot at the start, it will match computer.hydra.local but not user@hydra.local).That being said: if your certificates have something in common -or could have-, you can use subject filtering.
Thanks for the info. Yes, I could use subject filtering, since computer certificates are all named computer.domain.com. Can you just enter .domain.com as subject or do I need to add a wildcard?
But I think my main problem here is that I don't have any users defined on the firewall itself. So I don't know how to link a (global?) peer user to the vpn users.
It's been a long time since I I've done vpn client but don't you have a authentication rule? You need one to set the peer-group
e.g
config user peer
edit mygrupo1
set ca CA_1
set subject "ou=socpuppets,ou=socpuppets_vpn"
end
and down in the sslvpn cfg
config authentication rule
edit 1
set user-peer mygrupo1
end
Ken Felix
PCNSE
NSE
StrongSwan
Authentication is done completely externally on our radius server, handling user/pass and 2fa. Radius returns whether authentication is successful.
config user radius edit "radius server" set server "radius.domain.com" next end config user group edit "VPN Users" set member "radius server" next end config firewall policy edit 1 [...] set groups "VPN Users" next end
We understand that part, in your ssl vpn cfg on the fortigate do you have authentication rules ? and can you define a peer-group that you want to verify the vpn-clients with?
If you defined a peer-group and set the "ca+subject string" like I demo b4, that would allow access for clients holding certs from the CA and with a string that you match on. I never used OU but I believe it should work. I can test later today on some other ipsec-vpn if I have the time.
Ken Felix
PCNSE
NSE
StrongSwan
No separate authentication rule, just "set default-portal "VPN Users"".
I know I'm definitely missing some config to enable the client cert check :)
Ok. But if I create a authentication rule, and add a peergrp to it, I still need to create all user accounts on the firewall and add these to the peergrp? Or is it possible to create peer user for all?
Edit: what can I do with a peergrp? I cannot use it anywhere it seems? Not in firewall groups, not in authentication rules in sslvpn settings.
No , just create the peer group that checks the validation of the certificate and not the "user-auth". Just set some type of constraint. Since you mention any valid certificate, set it for your ca that issues the client certificates and test. You might want to run debug application sslvpn -1 to verify if you see issues or collect the fc logs.
Ken Felix
PCNSE
NSE
StrongSwan
TBH I'm having trouble finding the configuration options I need to configure as to what you tell me to do.
Is it maybe because we are still on a 6.0 firmware? Some of the commands that are used in the article I posted earlier are not yet available on this built.
Here's what I'm talking about in auth-rule
config vpn ssl settings set reqclientcert enable set ssl-min-proto-ver tls1-1 set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_POOL_1" set port 8443 config authentication-rule edit 1 set source-interface "wan1" set source-address "all" set users "user1" set portal "full-access" set client-cert enable set user-peer "socpuppets" next end end
The set user-peer is your CA with or without the subject
PCNSE
NSE
StrongSwan
Hey, I just wanted to say I test it by only using the CA and no cn or subject string so it worked What I did was use the web-acecs and firefox and called up a inferior certificate that did NOT match the "config user peer"
So if you are issuing certificates from a privateCA, just 1> import the ca into the firewall 2> sign all users with that CA >3 and set a "config user peer" and finally use that peer in the auth-rule.
It should work and lock down the sslvpn. If the client presents no certificate or a certficate that is not signed by the CA you defined , the ssl will reject that connect. You will see this on a "diag debug application sslvpnd -1"
e.g
[23346:root:3b]rmt_web_auth_info_parser_common:470 no session id in auth info [23346:root:3b]rmt_web_access_check:723 access failed, uri=[/remote/logincheck],ret=4103, [23346:root:3b]User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0 [23346:root:3b]rmt_logincheck_cb_handler:1189 user 'user1' has a matched local entry. [23346:root:3b]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy. [23346:root:3b]sslvpn_auth_check_usrgroup:2145 got user (1) group (0:0). [23346:root:3b]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (1), realm (). [23346:root:3b]sslvpn_validate_user_group_list:1690 checking rule 1 cipher. [23346:root:3b]sslvpn_validate_user_group_list:1698 checking rule 1 realm. [23346:root:3b]sslvpn_validate_user_group_list:1709 checking rule 1 source intf. [23346:root:3b]sslvpn_validate_user_group_list:1730 checking rule 1 source address. [23346:root:3b]sslvpn_validate_user_group_list:1845 rule 1 done, got user (1:1) group (0:0) peer group (0). [23346:root:3b]sslvpn_validate_user_group_list:1963 got user (1:1), group (0:0) peer group (0). [23346:root:3b]fam_cert_send_req:808 do certificate peer check first(2). [23346:root:3b]doing certificate checking for 1 peer(s). [23346:root:3b]sslvpn_update_user_group_list:1579 Remove user(s) which has set user-peer (1). [23346:root:3b]sslvpn_update_user_group_list:1595 got user (0:0), group (0:0), peer group (0) after update. [23346:root:3b]__auth_cert_cb:939 no valid user/group candidate found.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.