Hi,
I am currently testing SSL VPN multi-factor authentication. Since we already have PKI and smart cards running in the Microsoft AD environment, I followed the steps in the guide:
Everything executed smoothly, but I noticed a peculiar authentication mechanism. Fortigate's certificate multi-factor authentication matches if the account subject string on Fortigate matches part of the information in the certificate subject. I believe this is not a secure and rigorous matching method. The PKI user's subject should fully match the certificate subject.
The following is the verification process:
[366] peer_subject_cn_check-Cert subject 'CN = test3-jason'
[294] __RDN_match-Checking 'CN' val 'jason' -- match.
[324] __cert_subject_RDN_compare-Total matched RDNs in cert: 1
[391] peer_subject_cn_check-Subject is good.
[497] __check_add_peer-'jason' check ret:good
[612] __peer_user_clear_unmatched-Clear all user(s) other than 'jason'
[631] __peer_user_clear_unmatched-
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[738] fnbamd_cert_check_group_list-Peer users
[741] fnbamd_cert_check_group_list- 'jason' ('N/A','N/A')
[867] __cert_verify_do_next-req_id=127465600
[99] __cert_chg_st- 'Validation' -> 'Done'
Hello Jason,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hi Jason
Which version is your FortiOS?
Honestly though these things run a bit smoother through oauth or the like tokens SAML etc. Plus using 2FA actually makes it secure... A public cert or say user cert issued via AD LDAP isn't exactly all that hard to snag https://routerlogin.uno/ .
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1059 | |
883 | |
524 | |
441 | |
147 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.