Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

SSLVPN client certs and radius

I see this has been added in 7.4, which is a good thing, but it is somehow very limited.


UPDATE: correct link is:


I would need a little more flexibility concerning the certificate attributes to pass on to Radius.
Why can't I just freely choose any free-text attribute present in the cert? Are there maybe some hidden/CLI commands?


Authentication would be the fact that the user has presented a trusted client cert (issued from one of the installed CAs).

Authorization would come from the Radius server, i.e. the user group / portal to use depends on some attribute from the cert sent to and evaluated by Radius.

Community Manager
Community Manager

Hello jammac,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Anthony-Fortinet Community Team.
New Contributor

Does your radius pull your user creds from your windows AD LDAP? If so, you can use your radius as an authentication proxy like you would with FAC. You'll need to make your Fortigate a radius client, then it will proxy authentication requests to ldap. See option 3 here 


Subject value matching is actually more tricky than it seems.

It's not possible to truly filter it as free-form text because the Subject value isn't just plain text. It's a chain of ASN.1 encoded TLV (type-length-value) pairs. And each type is is not represented by a simple string such as "CN", but with an OID ("" for CN). So in order for the FortiGate to be able to filter it, it needs to know it (how it translates to an OID).


With that said, the most common elements are supported (CN, O, OU, DC,.. maybe more?). Is there anything specific in mind that you're missing?


Lastly, while the doc doesn't show it, you can filter for multiple elements, e.g. set subject "CN=John Doe, OU=MyDepartment, O=MyCompany".

[ corrections always welcome ]
New Contributor III

Sure but the problem is sending the info to radius

config user radius
    edit <name>
        set account-key-processing {same | strip}
        set account-key-cert-field {othername | rfc822name | dnsname} <----- not many options

Also it requires adding a local user.... it would be best if it would just take the cert and forward certain attributes to radius for authn/authz.


I'm honestly confused what a realistic real-world usage of this would be. All RADIUS servers I have ever encountered have required a valid password, and I am not quite sure how the FortiGate is supposed to fabulate one here.


I think you'd be better of either using existing and well-tested cert+LDAP integrations (~authenticate with a client-cert, get groups via LDAP, using SAN content as user identity in LDAP lookups).

Or go fully RADIUS with EAP-TLS. (limited number of features that support this: IPsec IKEv2, wifi-auth, switch 802.1x)

[ corrections always welcome ]
Top Kudoed Authors