Helpful ReplyHot!SSL VPN certificate AND username/password authentication

Author
Y.Spirin
New Member
  • Total Posts : 2
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/08/10 11:31:39
  • Status: offline
2017/08/11 00:50:01 (permalink) 5.4
0

SSL VPN certificate AND username/password authentication

Hi!
I'm setting up SSL VPN on FortiGate as described here: http://cookbook.fortinet.com/ssl-vpn-using-ldap-integrated-certificates/. It works but users can connect using just a certificate. To add username/password authentication I've changed VPN usergroup by removing remote LDAP server and adding remote RADIUS server. RADIUS (MS NPS) verifies username/password with ms-chap-v2 in AD, so now it looks like we have certificate + username/password authentication. But here is a situation: User A can use their username/password and User B's certificate and still get successfully authenticated due to the fact that certificate is only checked for validity and trust (issued by same CA).

So is it possible to set up SSL VPN with certificate + username/password authentication AND strict checking that certificate CN/UPN matches the username given by user?
 
Thanks for any clues.
#1
yesh
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/25 14:06:30
  • Status: offline
Re: SSL VPN certificate AND username/password authentication 2017/09/26 00:33:51 (permalink)
0
Hi,
How did you achieve this?
I have a very similar setup but connects with client certificate when no username/password is given. I have added Radius as a the remote auth server still it does not go to user authentication at all. 
 
Thanks
Yesh
#2
Y.Spirin
New Member
  • Total Posts : 2
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/08/10 11:31:39
  • Status: offline
Re: SSL VPN certificate AND username/password authentication 2017/09/26 08:05:47 (permalink) ☄ Helpfulby oheigl 2017/09/27 00:11:21
5 (1)
Hi!

Here's the part of config. We're setting up RADIUS server, LDAP server, peer user and finally the user group which combines authentication by LDAP certificate and RADIUS name/password.
-------------------------------------
config user radius
  edit "DCSRV.RADIUS"
    set server "10.1.1.1"
    set secret ENC ****
    set auth-type ms_chap_v2
  next
end

config user ldap
  edit "DCSRV.ldap"
    set server "10.1.1.1"
    set cnid "userPrincipalName"
    set dn "dc=company,dc=local"
    set type regular
    set username "fortigate_ldap"
    set password ENC ****
    set secure ldaps
    set ca-cert "CA_Cert_1"
    set port 636
  next
end


config user peer
  edit "LDAP.certificate.check"
    set ca "CA_Cert_1"
    set ldap-server "DCSRV.ldap"
    set ldap-mode principal-name
  next
end

config user group
  edit "G.VPN.Admins"
    set member "DCSRV.RADIUS" "LDAP.certificate.check" <-- LDAP.certificate.check is peer user from above
    config match
      edit 1
        set server-name "DCSRV.RADIUS"
        set group-name "SSL_VPN_Admins" <-- See below about SSL_VPN_Admins
      next
    end
  next
end

-------------------------------------
My RADIUS server is Microsoft NPS. Check this article for NPS setup guidance http://cookbook.fortinet.com/ssl-vpn-radius-authentication/. So what happens when VPN user tries to authenticate? First, Fortigate checks if the certificate passed by user is trusted (issued by Root CA which is identified by CA_Cert_1 certificate). Then user's name and password are passed to NPS which checks by Network Policies if these credentials belong to specific AD group. If they do then NPS answers to Fortigate with permission and sends the group name string which set up in policy's custom attribute. Fortigate checks if this group name equals to string which is in "set group-name" config. If it is a match then Fortigate successfully authenticates the user.
 
Feel free to ask questions about this config. I'll be glad to help.
 
Regards,
Yuri
#3
yesh
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/25 14:06:30
  • Status: offline
Re: SSL VPN certificate AND username/password authentication 2017/09/26 14:52:28 (permalink)
0
Thanks for sharing the details. 
#4
sotir1984
Bronze Member
  • Total Posts : 27
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/02/21 09:05:56
  • Status: offline
Re: SSL VPN certificate AND username/password authentication 2021/09/09 05:01:42 (permalink)
0
Hi,
 
Have you achieved the same but using device certificates rather than user certificates?
 
Kind regards,
 
Sotir
#5
Jump to:
© 2021 APG vNext Commercial Version 5.5