SSL VPN with certificate authentication

Jason1683416 · ‎06-17-2024

Hi,

I am currently testing SSL VPN multi-factor authentication. Since we already have PKI and smart cards running in the Microsoft AD environment, I followed the steps in the guide:

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/266506/ssl-vpn-with-certific...

Everything executed smoothly, but I noticed a peculiar authentication mechanism. Fortigate's certificate multi-factor authentication matches if the account subject string on Fortigate matches part of the information in the certificate subject. I believe this is not a secure and rigorous matching method. The PKI user's subject should fully match the certificate subject.

It can be observed that test3-jason was initially matched by jason's subject, leading to subsequent authentication failure.

How can I avoid the following situation?
Additionally, can Fortigate's certificate authentication authenticate the subject alternative name in the certificate?

FortiGate

The following is the verification process:

[366] peer_subject_cn_check-Cert subject 'CN = test3-jason'

[294] __RDN_match-Checking 'CN' val 'jason' -- match.

[324] __cert_subject_RDN_compare-Total matched RDNs in cert: 1

[391] peer_subject_cn_check-Subject is good.

[497] __check_add_peer-'jason' check ret:good

[612] __peer_user_clear_unmatched-Clear all user(s) other than 'jason'

[631] __peer_user_clear_unmatched-

[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0

[738] fnbamd_cert_check_group_list-Peer users

[741] fnbamd_cert_check_group_list- 'jason' ('N/A','N/A')

[867] __cert_verify_do_next-req_id=127465600

[99] __cert_chg_st- 'Validation' -> 'Done'

pminarik · ‎08-02-2024

The matching is indeed substring-based by default, but this is configurable.

config vpn certificate setting

set subject-match substring|value
set cn-match substring|value

end

"value" meaning exact match.

Be mindful that this is a VDOM-wide setting. If you're matching else somewhere else as a substring, changing the option may break that.

[ corrections always welcome ]

View solution in original post

Anthony_E · ‎06-19-2024

Hello Jason,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

AEK · ‎06-21-2024

Hi Jason

Which version is your FortiOS?

AEK

lkanakala · ‎08-02-2024

From my understanding, this behavior is expected when using the subject for matching. The reason is that many fields can be part of the subject, such as CN, OU, and Organization. When the subject is used, FortiOS checks if the defined string is present within the certificate's subject. In your case, yes. I would recommend using the other options like cn or principal-name for accurate verification.

Please refer to the "Subject field verification" section in the following document:

Dialup IPsec VPN with certificate authentication

It's better to use the CN or SAN option, as the SAN option is more scalable.

pminarik · ‎08-02-2024