Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSL VPN with Certificate Authentication and 2FA

Hi All,

SSL VPN with certificate auth

We have SSL VPN set up with Radius NPS and Azure Authenticator app. There is a need to activate certificate auth to this existing set up. I have read couple of articles and understand that the every user should have a unique cert to distinguish them and a similar config for fortigate to create users. 


I am not sure whether we need to add 500 users via cli and match each user certificate. Or is there any better method to do the same.





Kindly refer the below document for SSL VPN with remote user authentication with the client certificate.





Hey santosp,

I assume you're currently using RADIUS authentication, correct?

From FortiGate side, it's not really possible to add certificate authentication into this without creating local users FortiGate if you want this to be a stringent certificate check.


You have a few options:

- adding in one (or more) PKI user as outlined in the KB shared by my colleague Jamal

-> if you make the PKI user vague enough (a generic subject-string that all user certificates will contain), then you would only need one PKI user

-> PKI users can tie back to an LDAP server, but not a RADIUS server

- you can simply enable 'require client-cert' in the VPN settings

-> users would have to present a certificate that FortiGate trusts (signed by a CA FortiGate trusts, essentially), but not necessarily one that is uniquely theirs

- you could switch to IPSec VPN and IKEv2 to introduce EAP authentication and involve certificates that way, but this would be a major redesign

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Thank you Debbie. We want to do Cert+2FA. We have end users machines with intune deployed. Would need to explore if intune certs can be used via Forticlient.
Believe we can uses usernames in the intune presented certs in the subject section of the PKI user right ?  


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors