I am using 2MFA in SSLVPN & using PKI-Card certificate for 2nd authentication method.
Please help me where to configure the CA certificate which should be used for authentication/checking the user certificate. Do i have to configure PKI user for that ??
Kindly also confirm, Self-signed Server certificate is mandatory for 2MFA to work or fortinet-factory default
certificate is fine ( SSLVPN-> Settings -> server certificate).
If I understand correctly, you are after SSL VPN ldap/radius auth + certificate as 2fa.You need to configure a pki user indeed, that's where you define the CA.
SSL VPN ldap auth:https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/115783/ssl-vpn-with-ldap-user-authentic...
Then you'll have to enable PKI as second factor on SSL vpn auth rules:
config vpn ssl settingsconfig authentication-ruleedit 12set groups "PKI_USERS"set portal "full-access"set realm "pki"set client-cert enableset user-peer "user1"nextconfig user peeredit "user1"set ca "fortiauth.local.root"set ldap-server "LDAPS-bogusinc.local"set ldap-mode principal-namenextconfig user groupedit "PKI_USERS"set member "LDAPS-bogusinc.local"config matchedit 1set server-name "LDAPS-bogusinc.local"set group-name "CN=Users,CN=Builtin,DC=bogusinc,DC=local"nextSSLVPN-> Settings -> server certificate - this better not be Fortinet_Factory.Use a certificate issued by a CA you/your users can trust (private or public).
You can grab one for free from Let's Encrypt if you're running at least FOS 7.0:https://docs.fortinet.com/document/fortigate/7.0.8/administration-guide/822087/acme-certificate-supp...
Please mark this as resolved if I answered your question.
Actually, It was working fine in version FortiOS 7.0.5 & facing issue after upgrading to 7.2.2.
PKI user & server certificate was not configured but users were able to connect. Why ??
So it's broken now after the upgrade.
Are you using FortiClient, free or licensed?
Can you try without FortiClient, over web ssl vpn, same issue?
Please run this debug, it will show what is happening:
diag debug resetdiagnose debug cons time endiag debug application fnbamd -1diagnose debug app sslvpn -1dia vpn ssl debug-filter src-addr4 <PUBLICIPOFTESTCLIENT>diagnose debug enable
Forticlient is licensed & web based sslvpn is disabled.
See if you can enable web based sslvpn for a quick test. That would help to know if the issue is with the firewall or forticlient.
Otherwise, please run the debug and see if you can figure it out, maybe share here some event that you find interesting/relevant.
We have a existing TAC case for the same and executed the commands as you mentioned. But till now there is no resolution.
Any suggestion would be helpful for us from your side.
Is there anything that we can check on the endpoint system.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.