Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Shantilal1998
New Contributor

Created on ‎11-14-2022 05:14 AM

Where to define CA certificate authentication ?

Hi Guys,

 

I am using 2MFA in SSLVPN & using PKI-Card certificate for 2nd authentication method.

 

Please help me where to configure the CA certificate which should be used for authentication/checking the user certificate. Do i have to configure PKI user for that ??

 

Kindly also confirm, Self-signed Server certificate is mandatory for 2MFA to work or fortinet-factory default

certificate is fine ( SSLVPN-> Settings -> server certificate).

 

Thanks

Labels:
217
0 Kudos
6 REPLIES 6
cchiriches
Staff
Staff

Created on ‎11-15-2022 01:02 AM

Hi Shantilal1998,

If I understand correctly, you are after SSL VPN ldap/radius auth + certificate as 2fa.
You need to configure a pki user indeed, that's where you define the CA.

SSL VPN ldap auth:
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/115783/ssl-vpn-with-ldap-user-authentic...

PKI user:
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/776666/creating-a-pki-peer-user

Then you'll have to enable PKI as second factor on SSL vpn auth rules:

 

config vpn ssl settings
config authentication-rule
edit 12
set groups "PKI_USERS"
set portal "full-access"
set realm "pki"
set client-cert enable
set user-peer "user1"
next

config user peer
edit "user1"
set ca "fortiauth.local.root"
set ldap-server "LDAPS-bogusinc.local"
set ldap-mode principal-name
next

config user group
edit "PKI_USERS"
set member "LDAPS-bogusinc.local"
config match
edit 1
set server-name "LDAPS-bogusinc.local"
set group-name "CN=Users,CN=Builtin,DC=bogusinc,DC=local"
next

SSLVPN-> Settings -> server certificate - this better not be Fortinet_Factory.
Use a certificate issued by a CA you/your users can trust (private or public).

You can grab one for free from Let's Encrypt if you're running at least FOS 7.0:
https://docs.fortinet.com/document/fortigate/7.0.8/administration-guide/822087/acme-certificate-supp...

Please mark this as resolved if I answered your question.

195
0 Kudos
Shantilal1998
New Contributor

Created on ‎11-15-2022 01:12 AM

Hi, 

 

Actually, It was working fine in version FortiOS 7.0.5 & facing issue after upgrading to 7.2.2.

 

PKI user & server certificate was not configured but users were able to connect. Why ??

193
0 Kudos
cchiriches
Staff
Staff
In response to Shantilal1998

Created on ‎11-15-2022 02:13 AM

So it's broken now after the upgrade.

Are you using FortiClient, free or licensed?

Can you try without FortiClient, over web ssl vpn, same issue?

Please run this debug, it will show what is happening:

 

diag debug reset
diagnose debug cons time en
diag debug application fnbamd -1
diagnose debug app sslvpn -1
dia vpn ssl debug-filter src-addr4 <PUBLICIPOFTESTCLIENT>
diagnose debug enable

187
0 Kudos
Shantilal1998
New Contributor
In response to cchiriches

Created on ‎11-16-2022 11:40 PM

hi,

 

Forticlient is licensed & web based sslvpn is disabled.

161
0 Kudos
cchiriches
Staff
Staff
In response to Shantilal1998

Created on ‎11-17-2022 01:56 AM

See if you can enable web based sslvpn for a quick test. That would help to know if the issue is with the firewall or forticlient.

Otherwise, please run the debug and see if you can figure it out, maybe share here some event that you find interesting/relevant.

155
0 Kudos
Shantilal1998
New Contributor

Created on ‎11-23-2022 11:07 PM

Hi,

 

We have a existing TAC case for the same and executed the commands as you mentioned. But till now there is no resolution.

 

Any suggestion would be helpful for us from your side.

 

Is there anything that we can check on the endpoint system.

103
0 Kudos
Labels
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.