Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jason1683416
New Contributor

Created on ‎06-17-2024 07:34 AM

SSL VPN with certificate authentication

Hi,

I am currently testing SSL VPN multi-factor authentication. Since we already have PKI and smart cards running in the Microsoft AD environment, I followed the steps in the guide:

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/266506/ssl-vpn-with-certific...

Everything executed smoothly, but I noticed a peculiar authentication mechanism. Fortigate's certificate multi-factor authentication matches if the account subject string on Fortigate matches part of the information in the certificate subject. I believe this is not a secure and rigorous matching method. The PKI user's subject should fully match the certificate subject.

 

It can be observed that test3-jason was initially matched by jason's subject, leading to subsequent authentication failure.
  1. How can I avoid the following situation?
  2. Additionally, can Fortigate's certificate authentication authenticate the subject alternative name in the certificate?

FortiGate  

The following is the verification process:

 

[366] peer_subject_cn_check-Cert subject 'CN = test3-jason'

[294] __RDN_match-Checking 'CN' val 'jason' -- match.

[324] __cert_subject_RDN_compare-Total matched RDNs in cert: 1

[391] peer_subject_cn_check-Subject is good.

[497] __check_add_peer-'jason' check ret:good

[612] __peer_user_clear_unmatched-Clear all user(s) other than 'jason'

[631] __peer_user_clear_unmatched-

[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0

[738] fnbamd_cert_check_group_list-Peer users

[741] fnbamd_cert_check_group_list-    'jason' ('N/A','N/A')

[867] __cert_verify_do_next-req_id=127465600

[99] __cert_chg_st- 'Validation' -> 'Done'

 

螢幕擷取畫面 2024-06-17 221848.png

 

Labels:
293
0 Kudos
3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Created on ‎06-19-2024 09:18 PM

Hello Jason,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
159
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎06-21-2024 03:32 AM

Hi Jason

Which version is your FortiOS?

AEK
AEK
105
0 Kudos
nikotgi
New Contributor

Created on ‎06-21-2024 03:56 AM Edited on ‎06-24-2024 03:21 AM

Honestly though these things run a bit smoother through oauth or the like tokens SAML etc. Plus using 2FA actually makes it secure... A public cert or say user cert issued via AD LDAP isn't exactly all that hard to snag https://routerlogin.uno/ .

91
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.