Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zoriax
Contributor II

Created on ‎04-11-2022 03:10 AM

FortiAuthenticator SSL Certificate and VPN Machine

Hi everyone ! 

 

I need your help. I'm a bit confuse how to correctly configure FortiAuthenticator to validate SSL VPN Connections with machine (computers) SSL Certifacte. 

 

I tried a lot of options but nothing work, so I'm sure someone can help me :)

 

The workflow is this one : 

- Computer is AD join with a valid CA certificate, for example : pc1.mydomain.local

- ForitAuth is correctly configured and I can sync my computer.

- I configured RADIUS with "Windows AD computer authentication"

 

Now, what are the correct options to tell FortiGate to user computer certificate to validate the connection (if it's possible) ?


Thanks

Labels:
6203
0 Kudos
1 Solution
pminarik
Staff
Staff
In response to zoriax

Created on ‎04-14-2022 08:30 AM

Do you expect to be prompted for a certificate in that case?

 

If not, you may have misconfigured the groups/mappings in SSL-VPN settings.

 

If yes, then perhaps the certificate verification is failing. You could try running fnbamd debug to find out what the result of the validation is:

 

diag debug reset
diag debug console timestamp enable
diag debug app fnbamd -1
diag debug enable

→ try to connect now

diag debug disable

 

The fnbamd process may be doing other checks in the meantime, so it if starts showing more outputs, don't be scared. :)

 

There is also a chance that you might not have access to the private key, if this is a machine certificate, as you suggested in your initial post. Make sure you do have this sorted out. (KB on how to do this in Windows natively)

[ corrections always welcome ]

View solution in original post

6147
12 REPLIES 12
zoriax
Contributor II

Created on ‎04-11-2022 03:32 AM

I'm sure it's possible to "login" with a computer certificate to FortiGate SSL VPN but how can I do that with FortiAuthenticator ? 

I can't find any documentation about how to configure the devices to do that

5112
0 Kudos
zoriax
Contributor II

Created on ‎04-11-2022 04:07 AM

I followd this config  : https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/3965/computer-authentication-us...

 

But should I used it for SSL VPN ?

5109
0 Kudos
pminarik
Staff
Staff

Created on ‎04-14-2022 06:08 AM Edited on ‎04-14-2022 06:16 AM

When authenticating to SSL-VPN with a certificate, the certificate validation is always done by the FortiGate itself. It is never delegated to any other device (not even the FortiAuthenticator).

 

EAP-TLS (wifi WPA-Enterprise, switch dot1x, or IKEv2-EAP) would be a very specific exception, but it is not relevant here, since SSL-VPN does not support EAP.

 

So you should be able to make this work with "the usual" setup. The basic barebones configuration would consist of:

 

1, Import the CA chain which issues the machine certificates in your domain (presumably the Enterprise PKI root CA cert): System > Certificates > Import > CA

 

2, Create a "peer user" to match this CA:

 

config user peer
    edit "my_domain_peers"
        set ca "<the CA you imported in step 1>"
        # set subject "some specific subject" # these two lines are optional, to further restrict which certificates can match this peer object
        # set CN "some specific CN"
    next
end

 


3, Place the peer in a user group:

 

config user group
    edit "my_certificate_group"
        set member "my_domain_peers"
    next
end

 

 

4, You can now use this "user group" in your VPN portal mappings and firewall policies for SSL-VPN.

 

The result should be that clients authenticating purely with the matching certificate will be allowed to connect.

 

As a side-note: Be aware that regular users by default do not have access to the key of a machine certificate, which will prevent them from using it to authenticate to SSL-VPN.

 

You can work around this by giving regular users the permission to read the machine cert's private key in the OS itself, or you can use FortiClient's XML option `<allow_standard_user_use_system_cert>` (doc reference)

 

addendum: While the above is my "retelling of the story", there is also an official document on how to set up the same baseline configuration, available here . (my only comment to that would be that the lines `set two-factor enable` and `set password ...` are optional)

[ corrections always welcome ]
5096
0 Kudos
zoriax
Contributor II

Created on ‎04-14-2022 06:58 AM

Hello,

 

Ok it's what I have done on my FortiGate. Just one question can I use two different server certifiate ? 

 

What I wanted is to use a "public" certificate for my user (without client certificate) and a domain certificate for my computers (with client certificate)

5086
0 Kudos
pminarik
Staff
Staff
In response to zoriax

Created on ‎04-14-2022 07:32 AM

Hi,

 

The FortiGate itself can only use one certificate to identify itself as the VPN server. This is the "Server Certificate" selected in the general "SSL-VPN Settings" section.

 

The connecting clients can use certificates issued by different CAs with no issue. You simply need to re-do the same steps (import the second CA, create peer-object for it, add it to a new group or to the same group) for each new CA/peer.

 

If you're planning to let some users connect without a certificate (this is how I understood your reply), be aware that if using the browser to connect to the web-mode SSL-VPN, you may be prompted by the browser to select a certificate for authentication. If you are planning to authenticate as the user permitted to log in without a certificate, you should be able to simply ignore this prompt and then proceed to successfully authenticate with just username+password.

[ corrections always welcome ]
5083
0 Kudos
zoriax
Contributor II

Created on ‎04-14-2022 07:43 AM Edited on ‎04-14-2022 07:50 AM

Ok so according to the documentation and your return, I must set option 

 

set reqclientcert enable

 

This information is missign in Forit doc... And in authentication-rule, should I set 

 

 config authentication-rule
        edit 2
            set groups "TEST"
            set portal "WEB"
            set client-cert enable
        next
    end

 

With these otions my FortiClient prompt a warning message and tells me that the server require a certificate (and my certificate is selected).... I don't understand where is the error.

 

Thanks

 

5081
0 Kudos
pminarik
Staff
Staff
In response to zoriax

Created on ‎04-14-2022 08:10 AM

This is not necessarily correct. Let me clarify:

 

`set reqclientcert enable`: This enforces a requirement for all clients (no exceptions!) to present a trusted certificate when connecting to SSL-VPN. You do not need to enable this.

 

`set client-cert enable`: This is similar as the option above, but the requirement is narrowed down to the group specified in the portal mapping rule. If a user is matched to this group during authentication, and if they did not provide a valid certificate, they will be rejected.

This can be further improved by specifying `set user-peer <peer-object>` to declare that "this group must provide a certificate that matches this specific peer".

 

If you specify the setup as I have outlined - using the group with a peer-member in the portal mapping directly (`set groups "my_certificate_group"`, referring back to the example object I described in my first reply) - then in this case you do not need to enable any option to require a certificate (requclientcert, or client-cert). The mechanism is triggered automatically, and incoming connections will be asked for a certificate.

 

You can have a mixture of "certificate only", "certificate + username+password", and "username+password-only" working at the same time, the only trick is setting the configuration correctly to align with the desired flow.

[ corrections always welcome ]
5070
0 Kudos
zoriax
Contributor II
In response to pminarik

Created on ‎04-14-2022 08:22 AM

Ok thanks ! I understand. The last problem I have is with my certificate. My Forticlient prompt a warning message and tells me that the server require a certificate (and my certificate is correct).

5067
0 Kudos
pminarik
Staff
Staff
In response to zoriax

Created on ‎04-14-2022 08:30 AM

Do you expect to be prompted for a certificate in that case?

 

If not, you may have misconfigured the groups/mappings in SSL-VPN settings.

 

If yes, then perhaps the certificate verification is failing. You could try running fnbamd debug to find out what the result of the validation is:

 

diag debug reset
diag debug console timestamp enable
diag debug app fnbamd -1
diag debug enable

→ try to connect now

diag debug disable

 

The fnbamd process may be doing other checks in the meantime, so it if starts showing more outputs, don't be scared. :)

 

There is also a chance that you might not have access to the private key, if this is a machine certificate, as you suggested in your initial post. Make sure you do have this sorted out. (KB on how to do this in Windows natively)

[ corrections always welcome ]
6148
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.