Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Y_Spirin
New Contributor

SSL VPN certificate AND username/password authentication

Hi!

I'm setting up SSL VPN on FortiGate as described here: http://cookbook.fortinet.com/ssl-vpn-using-ldap-integrated-certificates/. It works but users can connect using just a certificate. To add username/password authentication I've changed VPN usergroup by removing remote LDAP server and adding remote RADIUS server. RADIUS (MS NPS) verifies username/password with ms-chap-v2 in AD, so now it looks like we have certificate + username/password authentication. But here is a situation: User A can use their username/password and User B's certificate and still get successfully authenticated due to the fact that certificate is only checked for validity and trust (issued by same CA). So is it possible to set up SSL VPN with certificate + username/password authentication AND strict checking that certificate CN/UPN matches the username given by user?

 

Thanks for any clues.

1 Solution
Y_Spirin
New Contributor

Hi! Here's the part of config. We're setting up RADIUS server, LDAP server, peer user and finally the user group which combines authentication by LDAP certificate and RADIUS name/password. ------------------------------------- config user radius   edit "DCSRV.RADIUS"     set server "10.1.1.1"     set secret ENC ****

    set auth-type ms_chap_v2   next end config user ldap   edit "DCSRV.ldap"     set server "10.1.1.1"     set cnid "userPrincipalName"     set dn "dc=company,dc=local"     set type regular     set username "fortigate_ldap"     set password ENC ****     set secure ldaps     set ca-cert "CA_Cert_1"     set port 636   next end

config user peer   edit "LDAP.certificate.check"     set ca "CA_Cert_1"     set ldap-server "DCSRV.ldap"     set ldap-mode principal-name   next end config user group

  edit "G.VPN.Admins"     set member "DCSRV.RADIUS" "LDAP.certificate.check" <-- LDAP.certificate.check is peer user from above     config match       edit 1         set server-name "DCSRV.RADIUS"         set group-name "SSL_VPN_Admins" <-- See below about SSL_VPN_Admins       next     end   next

end -------------------------------------

My RADIUS server is Microsoft NPS. Check this article for NPS setup guidance http://cookbook.fortinet.com/ssl-vpn-radius-authentication/. So what happens when VPN user tries to authenticate? First, Fortigate checks if the certificate passed by user is trusted (issued by Root CA which is identified by CA_Cert_1 certificate). Then user's name and password are passed to NPS which checks by Network Policies if these credentials belong to specific AD group. If they do then NPS answers to Fortigate with permission and sends the group name string which set up in policy's custom attribute. Fortigate checks if this group name equals to string which is in "set group-name" config. If it is a match then Fortigate successfully authenticates the user.

 

Feel free to ask questions about this config. I'll be glad to help.

 

Regards,

Yuri

View solution in original post

4 REPLIES 4
yesh
New Contributor

Hi,

How did you achieve this?

I have a very similar setup but connects with client certificate when no username/password is given. I have added Radius as a the remote auth server still it does not go to user authentication at all. 

 

Thanks

Yesh

Y_Spirin
New Contributor

Hi! Here's the part of config. We're setting up RADIUS server, LDAP server, peer user and finally the user group which combines authentication by LDAP certificate and RADIUS name/password. ------------------------------------- config user radius   edit "DCSRV.RADIUS"     set server "10.1.1.1"     set secret ENC ****

    set auth-type ms_chap_v2   next end config user ldap   edit "DCSRV.ldap"     set server "10.1.1.1"     set cnid "userPrincipalName"     set dn "dc=company,dc=local"     set type regular     set username "fortigate_ldap"     set password ENC ****     set secure ldaps     set ca-cert "CA_Cert_1"     set port 636   next end

config user peer   edit "LDAP.certificate.check"     set ca "CA_Cert_1"     set ldap-server "DCSRV.ldap"     set ldap-mode principal-name   next end config user group

  edit "G.VPN.Admins"     set member "DCSRV.RADIUS" "LDAP.certificate.check" <-- LDAP.certificate.check is peer user from above     config match       edit 1         set server-name "DCSRV.RADIUS"         set group-name "SSL_VPN_Admins" <-- See below about SSL_VPN_Admins       next     end   next

end -------------------------------------

My RADIUS server is Microsoft NPS. Check this article for NPS setup guidance http://cookbook.fortinet.com/ssl-vpn-radius-authentication/. So what happens when VPN user tries to authenticate? First, Fortigate checks if the certificate passed by user is trusted (issued by Root CA which is identified by CA_Cert_1 certificate). Then user's name and password are passed to NPS which checks by Network Policies if these credentials belong to specific AD group. If they do then NPS answers to Fortigate with permission and sends the group name string which set up in policy's custom attribute. Fortigate checks if this group name equals to string which is in "set group-name" config. If it is a match then Fortigate successfully authenticates the user.

 

Feel free to ask questions about this config. I'll be glad to help.

 

Regards,

Yuri

yesh
New Contributor

Thanks for sharing the details. 

sotir1984
New Contributor

Hi,

 

Have you achieved the same but using device certificates rather than user certificates?

 

Kind regards,

 

Sotir

-1984-