- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Client to Site question.
Hello.
We had recently a security breach in our company (a user breach), the user shared his credentials to another user who access the LAN during vacation.
The user logged using a cached user then connect to the vpn using a friend credentials.
Is there a way to avoid this?
I mean forced a Forticlient login to a specific computer, if it doen´t match drop the connection.
In Windows i did that using Active Directory but it don´t apply the rule to the vpn.
Thank you.
Solved! Go to Solution.
- Labels:
-
FortiClient
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for answering.
I found this tutorial using SSL certificates, it will help.
Our vpn client-to-site isn´t SSL but IPSEC.
I´m not the administrator of the Fortigate, he told me that was impossible to do it.
I did the same scheme i need using PfSense (I´m the admin) and it worked very well.
This is the tutorial, thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
You can use this article for the same:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-host-check-on-SSL-VPN/ta-p/194337
But it requires license
For the latest versions
FortiClient 6.2.0, FortiClient EMS 6.2.0, and FortiOS 6.2.0 introduce a new licensing structure for managing
endpoints running FortiClient 6.2.0+. See Upgrading from previous FortiClient versions on page 7 for more
information on how the licensing changes upon upgrade to 6.2.0+. Fortinet no longer offers a free trial license
for ten connected FortiClient endpoints on any FortiGate model running FortiOS 6.2.0+. EMS 6.2.3 supports a
30-day trial license with ten FortiClient seats.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the intended user was willing to give out their laptop and credentials (and any other relevant passwords), then there's very little you can do with this IT-wise.
2FA could be implemented, but what's stopping the user for giving their 2FA token to the other person as well? What you are dealing with is pretty much a perfect and thorough, and voluntary, identity theft, at least as far as logins are concerned.
Implementing biometrics into the login flow might be the solution for you. For example a biometric FIDO2 token. Fortinet does not currently offer any biometric tokens, so you would have to handle this through some third party. (and you would also first need to make sure that your new method is supported by FortiClient)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for answering.
I found this tutorial using SSL certificates, it will help.
Our vpn client-to-site isn´t SSL but IPSEC.
I´m not the administrator of the Fortigate, he told me that was impossible to do it.
I did the same scheme i need using PfSense (I´m the admin) and it worked very well.
This is the tutorial, thank you.
Created on ‎05-26-2022 09:41 AM Edited on ‎05-26-2022 09:42 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps the initial question needs to be re-phrased, because I understood it as the "other user" used the original user's computer as well. (potentially implied by "user logged using a cached user")
If this is correct, then client-certificates will not help as they will be in the original user's computer that is being handed out to the "other user".
If I misunderstood and the "other user" used a different/their own computer, then client certificates could work. This would have to be implemented as IKEv1 with certificate authentication + XAUTH. (IKEv2 cannot be configured to do both client-certificate and client-credentials verification)
Do note that this approach is usually for preventing non-company devices from connecting. Client-certificates and client-username&password are validated independently, so if the "other user" used their own company-issued computer with their own certificate, that would not stop them from using the original user's credentials for the XAUTH phase.
Created on ‎06-02-2022 10:12 AM Edited on ‎06-02-2022 10:13 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello there, let me explain it correctly.
User A was in Vacation, account has been blocked using active directory.
User B shared their forticlient credentials by phone to user A who logged in Windows using a cached password then connect to the VPN using user B credentials.
My idea is to force them to only connect to the VPN using their own company devices.
I know how to do it in PfSense using (user Certificates / Auth) but in this Fortigate 100E i don´t, our VPN has been configured (not by me) as VPN-IPSEC instead of SSL-VPN, assuming SSL works i will must configure all from scratch.
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
You can use this article for the same:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-host-check-on-SSL-VPN/ta-p/194337
But it requires license
For the latest versions
FortiClient 6.2.0, FortiClient EMS 6.2.0, and FortiOS 6.2.0 introduce a new licensing structure for managing
endpoints running FortiClient 6.2.0+. See Upgrading from previous FortiClient versions on page 7 for more
information on how the licensing changes upon upgrade to 6.2.0+. Fortinet no longer offers a free trial license
for ten connected FortiClient endpoints on any FortiGate model running FortiOS 6.2.0+. EMS 6.2.3 supports a
30-day trial license with ten FortiClient seats.
