Hi Folks,
I have an issue with a new SSL VPN on my Fortigate 3240fgt running 5.2.10. It is set up the same as a working SSL-VPN in a different vdom on the same device.
If I login to the SSL VPN portal using a locally configured user on the Firewall it is succesfull. However if I try with my AD account it is not succesfull. Debuging does not even show a single packet trying to reach the domain controller. But the Test function in the LDAP server section is succesfull (and packets can be seen when debuging).
Next oddity, when using my AD account the username is not propagated into the VPN events log, just user-N/A
But if I try a made up name (that does not have a local PKI user) the username is propagated into the VPN event log.
So it seems to me that after the Firewall confirms the PKI users exists it fails the authentication rather than forwrd the auth to AD.
These SSL VPNs have always been tricky, but I stumpped by this latest issue so would appreciate any assistance
Many Thanks
Levi
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi emnoc and all,
Following on from emnoc advice that "BUT if the client PKI is not correct we would not even attempt 1st or 2nd factor". I focused on the cert side of things with a different systems engineer, and found a couple of issues. The cert hadn't been correctly signed. Used the procedure on this link to sign the cert (http://cookbook.fortinet.com/ssl-vpn-with-certificate-authentication/) which I hadn't seen mentioned anywhere in the SSL VPN set up procedures. The final resolution was correcting the PKI subject details, which I was previously using the users email address, but it actually required the users AD "Display name"
Thanks again to all,
regards
Levi
So your subject line looks like this cn=<username> vrs cn=<username@domain> ?
hint:
If you want to check CAcert ServerCert UserCert you can use gnutls-serv and a webrowser in a fashion similar to this
1: run gnutls-serv and gnutls-cli with the Server Cert+Key
( a unix/macosx )
sudo gnutls-serv -d 9 -r --http --x509keyfile=server.key --x509certfile=server.crt -p 11443 --verify-client-cert
( a unix or macosx device )
gnutls-cli --ca-verification -V --disable-sni --x509cafile=yourcaroot.crt --x509keyfile=user.key --x509certfile=user.crt --print-cert -p 1443 127.0.0.1
2: ALternatively you can import the CArroot into a browser and select that cert when you hit the server, just convert the PEM certs to a pfx format and import
openssl pkcs12 -export -in user.crt -inkey user.key -out user.pfx
3: if that runs with no errors, you know the CA server and user certificate are good.
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.