Hi
I'm chewing on this for two days now and I'm not sure whether this is even doable with FortiOS 6.0.x.
Goal is to have the Windows native IKEv2 VPN client to authenticate using a user certificate signed by a private PKI.
For the client device itself, with a computer certificate, this is already working. So certificate chain stuff, etc. is sorted.
The issue seems to be, that I can't use peertype peergrp for the user-based authentication because Windows seems to be stupid. In the Windows client, you can choose between "EAP" and "Use Computer Certificate" for authentication. With the latter, everything works, even with peertype peergrp because Windows is sending the CN of the computer certificate as local identifier and I can use that in the peer-grp on the Fortigate to identify the client. With EAP however, which I have to use if I want the USER to authenticate and not the device, Windows always sends "IPV4_ADDR = <local_adapter_ip>" as local identifier, no matter what. So for user auth, I have to use "peertype any" and "set eap enable" and "set eap-identity send-request". This doesn't even seem to work with user/password based authentication, if the user is a remote (LDAP) user. With a local user, I managed to get this working.
So I tried to add "set authusrgrp <grpname_with_peers_with_certificates>" to the EAP based phase1 config but then the fnbamd daemon fails to authenticate the request like this:
[2280] handle_req-Rcvd auth req 787562041 for in grp_Win_UserTunnel opt=00000000 prot=8 [422] __compose_group_list_from_req-Group 'grp_Win_UserTunnel', type 1 [615] fnbamd_pop3_start- [341] radius_start-Didn't find radius servers (0) [718] auth_tac_plus_start-Didn't find tac_plus servers (0) [574] create_auth_session-Error starting authentication [2300] handle_req-Error starting session [181] fnbamd_comm_send_result-Sending result 5 (error 0, nid 0) for req 787562041 [2644] handle_req-Rcvd abort req for 787562041 [2667] handle_req-Can't abort, no active req 787562041
So this works:
config vpn ipsec phase1-interface edit "win-ike2-3G" set type dynamic set interface "internal6" set ike-version 2 set authmethod signature set peertype peergrp set mode-cfg enable set proposal aes128-sha1 aes256-sha256 set dpd on-idle set dhgrp 2 set certificate "myCert" set peergrp "winikev2_grp" set ipv4-start-ip 10.20.26.101 set ipv4-end-ip 10.20.26.200 set dns-mode auto set dpd-retryinterval 60 next
But this doesn't:
edit "win-user-3G" set type dynamic set interface "internal6" set ike-version 2 set authmethod signature set peertype any set mode-cfg enable set proposal aes128-sha1 aes256-sha256 set dpd on-idle set dhgrp 2 set eap enable set eap-identity send-request set authusrgrp "grp_Win_UserTunnel" set certificate "myCert" set ipv4-start-ip 10.20.26.1 set ipv4-end-ip 10.20.26.100 set dns-mode auto set dpd-retryinterval 60 next
TLDR;
So, is there a way to have "peertype any" but still authenticate a remote user by EAP with a certificate against a peergrp which contains peer objects with certificates? Also: is there a limitation to local users for EAP authentication with FortiOS 6.0? LDAP users don't seem to work, they fail with the same message:
[2280] handle_req-Rcvd auth req 787562041 for in grp_Win_UserTunnel opt=00000000 prot=8 [422] __compose_group_list_from_req-Group 'grp_Win_UserTunnel', type 1 [615] fnbamd_pop3_start- [341] radius_start-Didn't find radius servers (0) [718] auth_tac_plus_start-Didn't find tac_plus servers (0) [574] create_auth_session-Error starting authentication [2300] handle_req-Error starting session [181] fnbamd_comm_send_result-Sending result 5 (error 0, nid 0) for req 787562041 [2644] handle_req-Rcvd abort req for 787562041 [2667] handle_req-Can't abort, no active req 787562041
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
thank
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.