- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Dialup VPN to FortiGate with Certificate Authentic...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dialup VPN to FortiGate with Certificate Authentication AND Two-Factor FortiToken?
Hi All,
I finally have to add support for dialup VPN to our two locations, which already have a stable IPsec VPN connection with static IPs. Although initially I'll only need a single dialup user, by next year I'll have multiple users with different access rights. I'm looking for some pointers on how to proceed before I go too far down the wrong path.
Current equipment versions:
FortiGates 5.4.6
FortiAuthenticator 5.1.2
FortiClient 5.4.4 or 5.6.2 VPN client only (or other VPN client)
I would like to set up the dialup VPN to use certificate authentication for the connection, then require a username, password, and two-factor (FortiToken) authentication. Though I'd prefer to do IPsec VPN, this could be SSL VPN if needed. I can use FortiClient as the VPN client if needed, though I'm open to other possible clients (especially if they support IKEv2).
The user auth with passwords and FortiTokens can be done as part of a RADIUS group handled by the FAC, or (since we're small) by the FortiGate itself.
My questions and concerns are because I have not been able to find any full example of how to do this, though separate pieces are mentioned in many different places. Some of what I've researched is below.
So, any suggestions? Anybody have something similar set up?
Comments after cookbook article below imply this might be possible, but a solution wasn't found.
http://cookbook.fortinet.com/ssl-vpn-with-certificate-authentication/
Documentation example has the PKI being the only authentication used. http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/Certificates.htm#Co... Discussion implies this is possible with LDAP RADIUS, but I'm unsure how to translate this to FAC. https://forum.fortinet.com/tm.aspx?m=151607
SSL VPN example uses RADIUS but without certificate. http://cookbook.fortinet.com/ssl-vpn-radius-authentication/ https://travelingpacket.com/2016/01/26/fortigate-radius-group-authentication/
Thanks!
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would do it in micro-steps
1: enable certificae 1st and work thru any issues
2: than enable the MFA part which cookbooks exist for both
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Small steps is the plan.
I was hoping, though, that someone could say that they've successfully made these steps and gotten the combined VPN w/ certs + MFA to work first! Especially since the comments from the first link above says that even working with a Fortinet Partner they weren't able to get it working.
If anybody can recommend using the VPN client from FortiClient 5.6.2 or 5.4.4 (on Windows 10) that would also be helpful.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would go with the latest , as far as doing it. Numerous others have setup certifcate with SSLVPN and forticlient.
Fortitoken activate is trivial and should not need that much explanations.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wasted a bit of time seeing how this might work with Fortigate 5.4.6 IPsec VPN and FortiClient 5.6.2. Got past phase1 with certificates checked both directions, got matching phase2 proposals accepted, but FortiClient just wouldn't accept IPs from the FortiGate. Not with DHCP over IPsec (with dhcp-ipsec enabled in p2), nor with Mode Config. Couldn't even get it to work specifying the IPs myself in FortiClient. Only way I could make it work was to set the IP statically in FortiClients nic adaptor, which isn't a usable option. Oh, and for some reason IPsec FortiClient adds its route with a larger distance than the default, so the new route can never get hit anyway. Maybe I should just try a different IPsec client.
Tried it with SSL VPN (non-standard port) and it worked immediately. Route was added properly with a smaller distance. Got it up and working with server and client certs, initially requiring a password on the PKI for the client cert, then changed it to still require an approved client cert for connection but to only allow users from a group of two-factor (FortiToken) users. All well and good.
One question, though, regarding Fortinet's SSL VPN implementation. We have two separate wan interfaces for two ISPs, each with multiple static IPs, that are members of a wan zone. Though I only want to allow SSL VPN users to connect to one of the secondary IPs of one ISP, it appears that I can't specify something that granular. Using the GUI, I can only specify listening on the wan zone. I don't see an easy way of limiting this in the ssl settings from the CLI. I did check that this actually allows me to use one of the other IPs to login -- not good.
I've restricted this for now with local-in-policy, blocking the non-standard SSL port for all but my desired IP.
My question: Is there a better way to do this in 5.4.x or 5.6.x?
The only other solution I've seen mentioned was to use a VIP, but I'm not sure how that would work. Maybe have FortiGate's SSL listen on a dummy internal interface that the VIP maps to from a public IP?
Thanks for your thoughts on this, and happy Friday.
Related Posts
- Multiples SSIDs with Radius FortiAuthenticator +... 145 Views
- SSLVPN client certs and radius 141 Views
- User Getting The server you want... 185 Views
- 802.1x authentication for wifi users 220 Views
- Email Based 2 factor Authentication for... 156 Views
Labels
-
FortiGate
6,489 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.