- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator SSL Certificate and VPN Machine
Hi everyone !
I need your help. I'm a bit confuse how to correctly configure FortiAuthenticator to validate SSL VPN Connections with machine (computers) SSL Certifacte.
I tried a lot of options but nothing work, so I'm sure someone can help me :)
The workflow is this one :
- Computer is AD join with a valid CA certificate, for example : pc1.mydomain.local
- ForitAuth is correctly configured and I can sync my computer.
- I configured RADIUS with "Windows AD computer authentication"
Now, what are the correct options to tell FortiGate to user computer certificate to validate the connection (if it's possible) ?
Thanks
Solved! Go to Solution.
- Labels:
-
FortiAuthenticator v5.5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you expect to be prompted for a certificate in that case?
If not, you may have misconfigured the groups/mappings in SSL-VPN settings.
If yes, then perhaps the certificate verification is failing. You could try running fnbamd debug to find out what the result of the validation is:
diag debug reset
diag debug console timestamp enable
diag debug app fnbamd -1
diag debug enable
→ try to connect now
diag debug disable
The fnbamd process may be doing other checks in the meantime, so it if starts showing more outputs, don't be scared. :)
There is also a chance that you might not have access to the private key, if this is a machine certificate, as you suggested in your initial post. Make sure you do have this sorted out. (KB on how to do this in Windows natively)
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The KB solved my problem many thanks :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe debug logs could helo :)
[183:root:0]total sslvpn policy count: 2
[183:root:154]allocSSLConn:303 sconn 0x7f870ec5b700 (0:root)
[183:root:154]SSL state:before SSL initialization (1.2.3.1)
[183:root:154]SSL state:before SSL initialization:DH lib(1.2.3.1)
[183:root:154]SSL_accept failed, 5:(null)
[183:root:154]Destroy sconn 0x7f870ec5b700, connSize=0. (root)
[183:root:155]allocSSLConn:303 sconn 0x7f870ec5b700 (0:root)
[183:root:155]SSL state:before SSL initialization (1.2.3.1)
[183:root:155]SSL state:before SSL initialization (1.2.3.1)
[183:root:155]got SNI server name: myvpn realm (null)
[183:root:0]sslvpn_test_auth_cert_rule:135 vd_src_intf_matched: 1, match_realm: 0, vhost-only: 0.
[183:root:155]client cert requirement: yes
[183:root:155]SSL state:SSLv3/TLS read client hello (1.2.3.1)
[183:root:155]SSL state:SSLv3/TLS write server hello (1.2.3.1)
[183:root:155]SSL state:SSLv3/TLS write certificate (1.2.3.1)
[183:root:155]SSL state:SSLv3/TLS write key exchange (1.2.3.1)
[183:root:155]SSL state:SSLv3/TLS write certificate request (1.2.3.1)
[183:root:155]SSL state:SSLv3/TLS write server done (1.2.3.1)
[183:root:155]SSL state:SSLv3/TLS write server done:system lib(1.2.3.1)
[183:root:155]SSL state:SSLv3/TLS write server done:DH lib(1.2.3.1)
[183:root:155]SSL_accept failed, 5:(null)
[183:root:155]Destroy sconn 0x7f870ec5b700, connSize=0. (root)
[183:root:156]allocSSLConn:303 sconn 0x7f870ec5b700 (0:root)
[183:root:156]SSL state:before SSL initialization (1.2.3.1)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My log is full of
Action ssl-exit-error
Reason DH lib
- « Previous
-
- 1
- 2
- Next »
