We have our enterprise Certification Authority. Offline Root CA then subordinate online CA running on Windows (ADCS - Active Directory Certificate Services) in our domain.
Our users are getting certificates from slighly modified "User" template (has Application Policies: Client Authentication) by auto enrollment, and have option for manual enroll (again slightly modified "User" template) with longer expiration.
On our FortiGate we have installed that Root CA plus subordinate CAs (we have two now - older SHA-1 then newer giving SHA 256 certificates). Then IPsec and SSL dialup VPNs - for both are required client certificate from our CA and user/password.
FortiClient 5.4.5 works fine, both IPsec VPN and SSL VPN.
FortiClient 5.6.6 have some troubles, such as forgetting password, choosen certificate, need to switch to IPsec VPN from SSL VPN and back to be able to select certificate and such, but somehow is able to work.
FortiClient 6.0.4 have problems especially with IPsec VPN. - details: IPsec VPN - first connect OK - on second connect I am able to choose options such as password save (as FortiClient now knows that it is allowed), I am checking Save Password and Always Up - then on next connects I am not able to select any client certificate (none is offered in connect dialog; in configuration there is, I can select and save, but then in connection none is chosen)
SSL VPN - it somehow works - but after each connect I need to choose certificate again, or even to able to choose certificate I need to switch to IPsec and then back to SSL VPN (or go to config, click save, and then it works again for one connection)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I would like to add that checking Save Password and Always Up seems to be the trigger (probably "Save Password" is the culprit). Without checking it and at all times writing username and password, then I am able to select client certificate and connect to our FG using IPsec VPN.
I would like to add that finally problem seems in using non-ascii characters in subject in certificates. Status of relevant support issue is now "Pend Bug Fix".
Fixed in 6.2.0.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.