Hi , enmoc

  I have PrivacyIDEA +TOTP working without issues for tunnel mode but now  I'd like to achieve client cert + active directory auth (LDAP) 2 factor only for Web mode.   In summary I have two scenarios:   1- One realm /corp using PrivacyIDEA with LDAP auth + TOTP. Using Radius as auth server (PI)   2- Default realm / auth using cert + LDAP but not working using this guide   https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-cert...    As you said, with this guide I can check that client cert is valid only for this user (UserPrincipalName) right?   What is the second factor applied here? LDAP user+password? My problem is that user with valid certificate can login to SSLVPN portal only with certificate, login password is never prompted.   Thanks for you help. Best regards.

How is your auth-rule define per each realm? I would also do the "diag debug sslvpn" and review the messages to see what and if any errors. If you do use peer or peergroups  that would also being good

 

Can you dump the subject line of one the user-certificates so we can see the structure ( just sanitize it )

 

Ken Felix

 

Okay I tested my  env by exporting my user certificate and then building a "peer" using that information extracted from my user-cert

 

kenfelix@Socpuppets:~$ openssl x509 -in myuser-certs.cer -inform der -subject -noout subject= /O=Socpuppets/CN=KenFelix

 

 

You can call up the CA and CN value but that would be disastrous in a big org with hundreds of end-user certificates. The better approach would be to sign all user-certificate off a unique ca-chain and then use that in the peer  

 

config user peer  edit "vpn_users_corp"  set ca "CA_Cert_145"

 # that ca would be the one issuing on user-certificates next

end

 

And in the auth-rules you use that in you validation

 

 

config authentication-rule edit 16 set source-interface "wan1" set source-address "all" set groups "vpnusers-trest" set portal "full-access"

set realm "corpvpn" set client-cert enable set user-peer "vpn_users_corp" next

 

Here's a post i made about realm that shows how we set realms

 

http://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html

 

 

I also have a hunch you could also use the subLaternative name value in the peer also. You would have to playaround with it. I never tried but I know it would work.

 

/* example by using the email ALtName type

 

 

e.g

     email:kfelix@example.com

 

and the peer

 

config user peer edit "email-altName" set ca "CA_Cert_145" set cn "kfelix@example.com" set cn-type email next end

 

Give that a try with a single user and then figure out how to do it corp wide , but a separate chain for issuing user certs would be the best path imho. Than you only have to write one peer and match certificate issued. If cert-revocation is used,you can kill vpn access by signing a revocation.

 

We do that but we do not use windows MS-CA so I'm no 100% sure of it limits with user cert issuances.

 

 

YMMV 

 

Ken Felix

 

@gponero

Thanks for the information.