Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gilfalko
New Contributor III

SSLVPN using LDAP and a Certificate

Hello,

 

As of today the users connecting using SSLVPN need 2 sources in order to authenticate:

 

1) AD user and pass.

2) A certificate issued by our CA server (each user has his own individually issued certificate).

 

This is all working just fine and I'd like to copy this procedure to another remote fortigate unit we have.

Unfortunately, this was done using an Integrator and I was unable to trace through his steps.

 

For starters, I was not able to locate the Server Certificate mentioned in the Fortinet documentation:

 

 

The crossed out certificate is for logging in via HTTPS and DNS.

Where else can I look?

 

 

Attached is a full configuration file.

Cheers

3 REPLIES 3
avondale
New Contributor II

Hi, I was wondering did you have to do anything "special" to get this to work, I am trying to get this to work, but am having an access denied error message on my SSL-VPN clients.

 

You mentioned you use the CA Certificate, so how did you set this up for the client computers?  Did you follow some documentation you can point me to?.

 

Thanks in Advance

gilfalko
New Contributor III

The issue with this was eventually tied up with the LDAP authentication and not the certificate.

I had "CA"  under the Name Identifier. It was suppose to be "SAMACCOUNTNAME".

 

Per your question, I'm afraid I'm still figuring out how it works.

Once I do I'll be sure to blog it.

 

avondale
New Contributor II

I have managed to get this to work, it took some reading across multiple forums.

 

I followed this one to create the self signing certificates

https://community.spiceworks.com/how_to/93311-fortigate-ssl-vpn-2-factor-authentication-using-open-s...

 

The trick was that when building the certificate, I had to put in the section of the FQDN the SAME distinguished name configuration that had been used when setting up the LDAP interface, so in my case the FQDN had the entries of dc=xxxxx,dc=local, which matched the Distinguished Name in the LDAP configuration.

 

I then followed the remaining instructions above and imported the certificate as a CA Certificate and the P12 file as a user certificate on the device, but you have to import it when logged on as the USER who wants to remotely connect.  Then configured the Forticlient to use this certificate and it worked,

 

I have just one certificate that I will use for those staff that need remote access, but you could create and load a remote certificate for each user, but didn't see a need.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors