Hi,
I am currently testing SSL VPN multi-factor authentication. Since we already have PKI and smart cards running in the Microsoft AD environment, I followed the steps in the guide:
Everything executed smoothly, but I noticed a peculiar authentication mechanism. Fortigate's certificate multi-factor authentication matches if the account subject string on Fortigate matches part of the information in the certificate subject. I believe this is not a secure and rigorous matching method. The PKI user's subject should fully match the certificate subject.
The following is the verification process:
[366] peer_subject_cn_check-Cert subject 'CN = test3-jason'
[294] __RDN_match-Checking 'CN' val 'jason' -- match.
[324] __cert_subject_RDN_compare-Total matched RDNs in cert: 1
[391] peer_subject_cn_check-Subject is good.
[497] __check_add_peer-'jason' check ret:good
[612] __peer_user_clear_unmatched-Clear all user(s) other than 'jason'
[631] __peer_user_clear_unmatched-
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[738] fnbamd_cert_check_group_list-Peer users
[741] fnbamd_cert_check_group_list- 'jason' ('N/A','N/A')
[867] __cert_verify_do_next-req_id=127465600
[99] __cert_chg_st- 'Validation' -> 'Done'
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The matching is indeed substring-based by default, but this is configurable.
config vpn certificate setting
set subject-match substring|value
set cn-match substring|value
end
"value" meaning exact match.
Be mindful that this is a VDOM-wide setting. If you're matching else somewhere else as a substring, changing the option may break that.
Hello Jason,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hi Jason
Which version is your FortiOS?
From my understanding, this behavior is expected when using the subject for matching. The reason is that many fields can be part of the subject, such as CN, OU, and Organization. When the subject is used, FortiOS checks if the defined string is present within the certificate's subject. In your case, yes. I would recommend using the other options like cn or principal-name for accurate verification.
Please refer to the "Subject field verification" section in the following document:
Dialup IPsec VPN with certificate authentication
It's better to use the CN or SAN option, as the SAN option is more scalable.
The matching is indeed substring-based by default, but this is configurable.
config vpn certificate setting
set subject-match substring|value
set cn-match substring|value
end
"value" meaning exact match.
Be mindful that this is a VDOM-wide setting. If you're matching else somewhere else as a substring, changing the option may break that.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1545 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.