I have been making no progress on this for weeks now. Using FortiClient
7.4.4 I am unable to successfully configure an IPsec IKEv2 remote VPN
connection using LDAP machine certificate (not a user certificate)
authentication. We have an internal Windo...
We currently have a dial-up SSL VPN configuration that requires a user
to connect using both their Windows AD (LDAP) credentials AND a local
computer certificate issued from our internal Windows CA. On top of
that, we use FortiToken with push notific...
We have a few new FortiAP's (running FAP 7.4.5) and managed by our
FortiGate (running FOS 7.4.8). I would like to allow our laptops to
automatically connect and authenticate to our Wi-Fi network using their
machine certificates. We have an internal W...
Since upgrading our EMS server to 7.2.5 and our clients to FC 7.2.5, the
clients Web Filter, Video Filter, Vulnerability, and System Events no
longer populate in EMS at all. These events don't update under the
Endpoint Views for the clients and there...
I can not get this figured out. I’ve got a FortiGate running v7.2.9
(also tried with v7.2.8) and I’m trying to configure our SSL VPN to use
an external DHCP Server to assign our clients IP addresses. I followed
the instructions outlined here:
https:/...
@funkylicious,Thank you for all of your help. This does indeed appear to
be an issue with FortiClient v. 7.4.4. I installed FortiClient 7.4.3 and
was able to connect with the Machine certificate with no other changes.
Unfortunately, the reason I inst...
If I enable debug for dnbamd it doesn't seem to make a difference when
using the machine cert as no related fnbamd related lines show up in the
output as it fails before any dnbamd related items are checked.
I tried removing those settingsconfig user peer edit "peer_VPN-Users"
set ca "MyDomain-CA" next endWith that configuration it still fails when
using the machine cert, and it now also fails when using a cert (as
expected).
Yes, all certs involved are signed by the same CA. The machine cert
shows as trusted and indicates it also has the private key. MyFortiGate
# sh user ldap config user ldap edit "My LDAP Server" set server
"mydc.mydomain.local" set secondary-server "m...
Maybe it is too long? I'll try to include shortened version of the IKE
debug below: ike 0:My-IPsec-VPN:286: FCT EAP 2FA extension vendor ID
received ike V=root:0:My-IPsec-VPN:286: responder preparing SA_INIT msg
ike V=root:0:My-IPsec-VPN:286: create ...
