Hi,
I've spent two days trying to figure out how to get SSL-VPN working with client-side certificates, but I keep running into trouble. Basically, I can log in with one user, but I can never get it to work properly for multiple users. My setup:
- Running 6.0.3 (and now 6.0.4) on a 60E
- Created CA, used this to sign a server certificate "TestCert". The CA is imported as external CA, the TestCert as certificate in the FortiGate.
- Created group 'vpnclients' with associated allow all policy for ssl tunnel adapter on the group.
- Created users rdiaz, test, both with two-factor password 'test' and validated by the previously imported CA
Preferably, I'd like to use a single client certificate. But if I use one client certificate for both users, only one can log in successfully. Debug log when logging in as test:
[548:root:b]sslvpn_validate_user_group_list:1702 got user (0), group (0:1). [548:root:b]doing authentication for 1 group(s). [548:root:b]fam_cert_proc_resp:1213 match rule (1), user (rdiaz:vpnusers) portal (full-access). [548:root:b]__auth_cert_cb:691 certificate check OK. [548:root:b]sslvpn_authenticate_user:167 authenticate user: [test] [548:root:b]sslvpn_authenticate_user:174 create fam state [548:root:b]fam_auth_send_req:575 with server blacklist: [548:root:b]fam_auth_send_req_internal:453 fnbam_auth return: 1 [548:root:b]fam_auth_send_req:695 task finished with 1 [548:root:b]login_failed:260 user[test],auth_type=1 failed [sslvpn_login_permission_denied] [548:root:b]SSL state:warning close notify (192.168.1.110) [548:root:b]sslConnGotoNextState:298 error (last state: 1, closeOp: 0)
Note the third line! Match rule user (rdiaz:vpnusers) This seems odd, as the user logging in is user test. Is this because the certificate was pinned to user rdiaz after first use?
Either way, I then tried to make a second client certificate, but I cannot get the second user (test) to log in with this new certificate either. In the FortiGate debug log (command: diagnose debug application sslvpn -1) I see the following:
[549:root:c]sslvpn_validate_user_group_list:1702 got user (0), group (0:1). [549:root:c]doing authentication for 1 group(s). [549:root:c]__auth_cert_cb:710 certificate check failed. Recheck without peer user matching. [549:root:c]doing certificate checking. [549:root:c]SSL state:warning close notify (192.168.1.110) [549:root:c]sslConnGotoNextState:298 error (last state: 1, closeOp: 0) [549:root:c]Destroy sconn 0x55d36800, connSize=0. (root)
The certificate used is definitely signed by the same CA, user test is member of vpnusers, and user test is set to be validated using the same CA cert in 'pki users'.
Any idea what could be the issue? I'm at a loss..
Cheers,
Wouter
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Monochrome,
I had the same problem, the certificat client sould used by peer user pki, PKI user rdiaz account contains the information required to determine which CA certificate to use to validate the user's certificate rdiaz, when you add this user rdiaz to the group VPN "vpnclients", then you try to use ssl vpn with certificate authentication, but this method requires users to authenticate using a single certificate, each user should have one ceritifcat oki, you can do in CLI "get vpn ssl monitor" and you will find :
SSL VPN Login Users:
Index User Auth Type Timeout From HTTP in/out HTTPS in/out
0 pki01,cn=rdiaz 1(1) 229 10.1.100.254 0/0 0/0
So if you want to user a unique certificat for all, you can add LDAP as server authentification and create a CA, and server certificat, and client certifcat. you find below the steps:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD40028
And after that you should do that :
- in the fortigate add the certificat CA and certifcat server.
- in the client laptop add the certificat CA in the certificate store "authority of certificate root trusted" in each laptop, and the certificate client in the certificate store "personnel".
and add in the group "vpnclients" a remote LDAP server, and it will working.
Regards
[edit] nevermind on some conclusions.
anyway do check the topic below and 6.2 makes it easier.
*) https://forum.fortinet.com/tm.aspx?m=184812
6.2 does this better: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47120
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.