Hi Guys,
I am using 2MFA in SSLVPN & using PKI-Card certificate for 2nd authentication method.
Please help me where to configure the CA certificate which should be used for authentication/checking the user certificate. Do i have to configure PKI user for that ??
Kindly also confirm, Self-signed Server certificate is mandatory for 2MFA to work or fortinet-factory default
certificate is fine ( SSLVPN-> Settings -> server certificate).
Thanks
Hi Shantilal1998,
If I understand correctly, you are after SSL VPN ldap/radius auth + certificate as 2fa.
You need to configure a pki user indeed, that's where you define the CA.
SSL VPN ldap auth:
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/115783/ssl-vpn-with-ldap-user-authentic...
PKI user:
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/776666/creating-a-pki-peer-user
Then you'll have to enable PKI as second factor on SSL vpn auth rules:
config vpn ssl settings
config authentication-rule
edit 12
set groups "PKI_USERS"
set portal "full-access"
set realm "pki"
set client-cert enable
set user-peer "user1"
next
config user peer
edit "user1"
set ca "fortiauth.local.root"
set ldap-server "LDAPS-bogusinc.local"
set ldap-mode principal-name
next
config user group
edit "PKI_USERS"
set member "LDAPS-bogusinc.local"
config match
edit 1
set server-name "LDAPS-bogusinc.local"
set group-name "CN=Users,CN=Builtin,DC=bogusinc,DC=local"
next
SSLVPN-> Settings -> server certificate - this better not be Fortinet_Factory.
Use a certificate issued by a CA you/your users can trust (private or public).
You can grab one for free from Let's Encrypt if you're running at least FOS 7.0:
https://docs.fortinet.com/document/fortigate/7.0.8/administration-guide/822087/acme-certificate-supp...
Please mark this as resolved if I answered your question.
Hi,
Actually, It was working fine in version FortiOS 7.0.5 & facing issue after upgrading to 7.2.2.
PKI user & server certificate was not configured but users were able to connect. Why ??
So it's broken now after the upgrade.
Are you using FortiClient, free or licensed?
Can you try without FortiClient, over web ssl vpn, same issue?
Please run this debug, it will show what is happening:
diag debug reset
diagnose debug cons time en
diag debug application fnbamd -1
diagnose debug app sslvpn -1
dia vpn ssl debug-filter src-addr4 <PUBLICIPOFTESTCLIENT>
diagnose debug enable
hi,
Forticlient is licensed & web based sslvpn is disabled.
See if you can enable web based sslvpn for a quick test. That would help to know if the issue is with the firewall or forticlient.
Otherwise, please run the debug and see if you can figure it out, maybe share here some event that you find interesting/relevant.
Hi,
We have a existing TAC case for the same and executed the commands as you mentioned. But till now there is no resolution.
Any suggestion would be helpful for us from your side.
Is there anything that we can check on the endpoint system.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.