Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gilfalko
New Contributor III

Created on ‎02-22-2017 05:25 AM

SSLVPN using LDAP and a Certificate

Hello,

 

As of today the users connecting using SSLVPN need 2 sources in order to authenticate:

 

1) AD user and pass.

2) A certificate issued by our CA server (each user has his own individually issued certificate).

 

This is all working just fine and I'd like to copy this procedure to another remote fortigate unit we have.

Unfortunately, this was done using an Integrator and I was unable to trace through his steps.

 

For starters, I was not able to locate the Server Certificate mentioned in the Fortinet documentation:

 

 

The crossed out certificate is for logging in via HTTPS and DNS.

Where else can I look?

 

 

Attached is a full configuration file.

Cheers

Preview file
107 KB
5946
0 Kudos
3 REPLIES 3
avondale
New Contributor II

Created on ‎02-28-2017 11:15 PM

Hi, I was wondering did you have to do anything "special" to get this to work, I am trying to get this to work, but am having an access denied error message on my SSL-VPN clients.

 

You mentioned you use the CA Certificate, so how did you set this up for the client computers?  Did you follow some documentation you can point me to?.

 

Thanks in Advance

1679
0 Kudos
gilfalko
New Contributor III
In response to avondale

Created on ‎03-01-2017 12:19 AM

The issue with this was eventually tied up with the LDAP authentication and not the certificate.

I had "CA"  under the Name Identifier. It was suppose to be "SAMACCOUNTNAME".

 

Per your question, I'm afraid I'm still figuring out how it works.

Once I do I'll be sure to blog it.

 

1678
0 Kudos
avondale
New Contributor II
In response to gilfalko

Created on ‎03-01-2017 10:30 PM

I have managed to get this to work, it took some reading across multiple forums.

 

I followed this one to create the self signing certificates

https://community.spiceworks.com/how_to/93311-fortigate-ssl-vpn-2-factor-authentication-using-open-s...

 

The trick was that when building the certificate, I had to put in the section of the FQDN the SAME distinguished name configuration that had been used when setting up the LDAP interface, so in my case the FQDN had the entries of dc=xxxxx,dc=local, which matched the Distinguished Name in the LDAP configuration.

 

I then followed the remaining instructions above and imported the certificate as a CA Certificate and the P12 file as a user certificate on the device, but you have to import it when logged on as the USER who wants to remotely connect.  Then configured the Forticlient to use this certificate and it worked,

 

I have just one certificate that I will use for those staff that need remote access, but you could create and load a remote certificate for each user, but didn't see a need.

 

1678
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.