- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL-VPN + client-side certificates
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL-VPN + client-side certificates
Hi,
I've spent two days trying to figure out how to get SSL-VPN working with client-side certificates, but I keep running into trouble. Basically, I can log in with one user, but I can never get it to work properly for multiple users. My setup:
- Running 6.0.3 (and now 6.0.4) on a 60E
- Created CA, used this to sign a server certificate "TestCert". The CA is imported as external CA, the TestCert as certificate in the FortiGate.
- Created group 'vpnclients' with associated allow all policy for ssl tunnel adapter on the group.
- Created users rdiaz, test, both with two-factor password 'test' and validated by the previously imported CA
Preferably, I'd like to use a single client certificate. But if I use one client certificate for both users, only one can log in successfully. Debug log when logging in as test:
[548:root:b]sslvpn_validate_user_group_list:1702 got user (0), group (0:1). [548:root:b]doing authentication for 1 group(s). [548:root:b]fam_cert_proc_resp:1213 match rule (1), user (rdiaz:vpnusers) portal (full-access). [548:root:b]__auth_cert_cb:691 certificate check OK. [548:root:b]sslvpn_authenticate_user:167 authenticate user: [test] [548:root:b]sslvpn_authenticate_user:174 create fam state [548:root:b]fam_auth_send_req:575 with server blacklist: [548:root:b]fam_auth_send_req_internal:453 fnbam_auth return: 1 [548:root:b]fam_auth_send_req:695 task finished with 1 [548:root:b]login_failed:260 user[test],auth_type=1 failed [sslvpn_login_permission_denied] [548:root:b]SSL state:warning close notify (192.168.1.110) [548:root:b]sslConnGotoNextState:298 error (last state: 1, closeOp: 0)
Note the third line! Match rule user (rdiaz:vpnusers) This seems odd, as the user logging in is user test. Is this because the certificate was pinned to user rdiaz after first use?
Either way, I then tried to make a second client certificate, but I cannot get the second user (test) to log in with this new certificate either. In the FortiGate debug log (command: diagnose debug application sslvpn -1) I see the following:
[549:root:c]sslvpn_validate_user_group_list:1702 got user (0), group (0:1). [549:root:c]doing authentication for 1 group(s). [549:root:c]__auth_cert_cb:710 certificate check failed. Recheck without peer user matching. [549:root:c]doing certificate checking. [549:root:c]SSL state:warning close notify (192.168.1.110) [549:root:c]sslConnGotoNextState:298 error (last state: 1, closeOp: 0) [549:root:c]Destroy sconn 0x55d36800, connSize=0. (root)
The certificate used is definitely signed by the same CA, user test is member of vpnusers, and user test is set to be validated using the same CA cert in 'pki users'.
Any idea what could be the issue? I'm at a loss..
Cheers,
Wouter
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Monochrome,
I had the same problem, the certificat client sould used by peer user pki, PKI user rdiaz account contains the information required to determine which CA certificate to use to validate the user's certificate rdiaz, when you add this user rdiaz to the group VPN "vpnclients", then you try to use ssl vpn with certificate authentication, but this method requires users to authenticate using a single certificate, each user should have one ceritifcat oki, you can do in CLI "get vpn ssl monitor" and you will find :
SSL VPN Login Users:
Index User Auth Type Timeout From HTTP in/out HTTPS in/out
0 pki01,cn=rdiaz 1(1) 229 10.1.100.254 0/0 0/0
So if you want to user a unique certificat for all, you can add LDAP as server authentification and create a CA, and server certificat, and client certifcat. you find below the steps:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD40028
And after that you should do that :
- in the fortigate add the certificat CA and certifcat server.
- in the client laptop add the certificat CA in the certificate store "authority of certificate root trusted" in each laptop, and the certificate client in the certificate store "personnel".
and add in the group "vpnclients" a remote LDAP server, and it will working.
Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[edit] nevermind on some conclusions.
anyway do check the topic below and 6.2 makes it easier.
*) https://forum.fortinet.com/tm.aspx?m=184812
6.2 does this better: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47120
Related Posts
- Forticlient 7.2.4 trying to use certificates... 9100 Views
- Limit Certificates Presented for use with... 475 Views
- Using a local machine certificate for... 1005 Views
- FortiClient Mac OS X 7.0 problem... 10886 Views
- FortiClient - SSLVPN problem with client... 2652 Views
Labels
-
FortiGate
6,451 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.