Hi there,
I want to level up the security of our SSL-VPN (tunnel mode).
We have to make sure that vpn connections only possible from devices of our managed infrastructure.
Is it possible to use computer certificates as additional authentication requierement? I have already read about user certificates, but only for local users. We use LDAP group search for authentication and it seems not possible to bind certifcates to this usergroup.
In this case it would be nice if I could enroll computer certificates over active directory and foritgate check these certs during the authentication.
Is this possible. If not, are there any other possibilities to increase vpn security?
I'm also trying to implement something like this so we can lock down the Forticlient to authorized domain computers. All docs seem to mention user certs.
Anyone know if computer certificates can be used?
I never heard of a enforcement of a "computer certificate". I would look at host/client side checks. Here you could allow window versions that you company uses
examples
maybe you have only win10 and want to disallow all earlier WinOSes
maybe you have a seed list of ether_address AA:AA:AA:AA:AA:AA
that alone with a user certificate , should be more than enough
PCNSE
NSE
StrongSwan
You could use the enforce EMS management at the end-point. Machine certificate is NOT want you need or should be using imho.
PCNSE
NSE
StrongSwan
http://cookbook.fortinet.com/ssl-vpn-using-ldap-integrated-certificates/
This will work for you. Unfortunately , I am looking for client certificate with Radius authentication for users which is not supported.
Thanks for that - may work for us.
If anyone from Fortinet is reading - please implement client check on Forticlient for Mac! Would make life so much easier.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.