Fortinet Community

Shantilal1998 · ‎11-14-2022

Hi Guys,

I am using 2MFA in SSLVPN & using PKI-Card certificate for 2nd authentication method.

Please help me where to configure the CA certificate which should be used for authentication/checking the user certificate. Do i have to configure PKI user for that ??

Kindly also confirm, Self-signed Server certificate is mandatory for 2MFA to work or fortinet-factory default

certificate is fine ( SSLVPN-> Settings -> server certificate).

Thanks

kiri · ‎11-15-2022

Hi Shantilal1998,

If I understand correctly, you are after SSL VPN ldap/radius auth + certificate as 2fa.
You need to configure a pki user indeed, that's where you define the CA.

SSL VPN ldap auth:
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/115783/ssl-vpn-with-ldap-user-authentic...

PKI user:
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/776666/creating-a-pki-peer-user

Then you'll have to enable PKI as second factor on SSL vpn auth rules:

config vpn ssl settings
config authentication-rule
edit 12
set groups "PKI_USERS"
set portal "full-access"
set realm "pki"
set client-cert enable
set user-peer "user1"
next

config user peer
edit "user1"
set ca "fortiauth.local.root"
set ldap-server "LDAPS-bogusinc.local"
set ldap-mode principal-name
next

config user group
edit "PKI_USERS"
set member "LDAPS-bogusinc.local"
config match
edit 1
set server-name "LDAPS-bogusinc.local"
set group-name "CN=Users,CN=Builtin,DC=bogusinc,DC=local"
next

SSLVPN-> Settings -> server certificate - this better not be Fortinet_Factory.
Use a certificate issued by a CA you/your users can trust (private or public).

You can grab one for free from Let's Encrypt if you're running at least FOS 7.0:
https://docs.fortinet.com/document/fortigate/7.0.8/administration-guide/822087/acme-certificate-supp...

Please mark this as resolved if I answered your question.

Shantilal1998 · ‎11-15-2022

Hi,

Actually, It was working fine in version FortiOS 7.0.5 & facing issue after upgrading to 7.2.2.

PKI user & server certificate was not configured but users were able to connect. Why ??

kiri · ‎11-15-2022

So it's broken now after the upgrade.

Are you using FortiClient, free or licensed?

Can you try without FortiClient, over web ssl vpn, same issue?

Please run this debug, it will show what is happening:

diag debug reset
diagnose debug cons time en
diag debug application fnbamd -1
diagnose debug app sslvpn -1
dia vpn ssl debug-filter src-addr4 <PUBLICIPOFTESTCLIENT>
diagnose debug enable

Shantilal1998 · ‎11-16-2022

hi,

Forticlient is licensed & web based sslvpn is disabled.

kiri · ‎11-17-2022

See if you can enable web based sslvpn for a quick test. That would help to know if the issue is with the firewall or forticlient.

Otherwise, please run the debug and see if you can figure it out, maybe share here some event that you find interesting/relevant.

Shantilal1998 · ‎11-23-2022

Hi,

We have a existing TAC case for the same and executed the commands as you mentioned. But till now there is no resolution.

Any suggestion would be helpful for us from your side.

Is there anything that we can check on the endpoint system.

Fortinet Community

Where to define CA certificate authentication ?