Helpful ReplyHot!(Computer) client certificate validation

Page: < 12 Showing page 2 of 2
Author
emnoc
Expert Member
  • Total Posts : 6210
  • Scores: 435
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: (Computer) client certificate validation 2020/04/20 09:20:51 (permalink)
0
It's been a long time since I I've done vpn client but don't you have a authentication rule? You need one to set the peer-group 
 
e.g 
 
config user peer
   edit  mygrupo1
      set ca CA_1
      set subject "ou=socpuppets,ou=socpuppets_vpn"
  end
 
and down in the sslvpn cfg 
 
 
  config authentication rule 
   edit 1
      set user-peer mygrupo1
   end
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#21
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: (Computer) client certificate validation 2020/04/21 00:02:44 (permalink)
0
Authentication is done completely externally on our radius server, handling user/pass and 2fa. Radius returns whether authentication is successful.
 
config user radius
    edit "radius server"
        set server "radius.domain.com"
    next
end

config user group
    edit "VPN Users"
        set member "radius server"
    next
end

config firewall policy
    edit 1
        [...]
        set groups "VPN Users"
    next
end
 
post edited by Magion - 2020/04/21 00:05:14
#22
emnoc
Expert Member
  • Total Posts : 6210
  • Scores: 435
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: (Computer) client certificate validation 2020/04/21 07:40:11 (permalink)
0
We understand that part, in your ssl vpn cfg on the fortigate do you have authentication rules ? and can you define  a peer-group that you want to verify the vpn-clients with?
 
If you defined a peer-group and set the "ca+subject  string"  like I demo b4, that would allow access for clients holding certs from the CA and with a string that you match on. I never used OU  but I believe it should work. I can test later today on some other ipsec-vpn if I have the time.
 
Ken Felix
 
 

PCNSE 
NSE 
StrongSwan  
#23
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: (Computer) client certificate validation 2020/04/21 07:57:35 (permalink)
0
No separate authentication rule, just "set default-portal "VPN Users"".
 
I know I'm definitely missing some config to enable the client cert check :)
 
Ok. But if I create a authentication rule, and add a peergrp to it, I still need to create all user accounts on the firewall and add these to the peergrp? Or is it possible to create peer user for all?
 
Edit: what can I do with a peergrp? I cannot use it anywhere it seems? Not in firewall groups, not in authentication rules in sslvpn settings.
post edited by Magion - 2020/04/21 08:04:31
#24
emnoc
Expert Member
  • Total Posts : 6210
  • Scores: 435
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: (Computer) client certificate validation 2020/04/21 08:09:02 (permalink)
0
No , just create the peer group that checks the validation of the certificate and not the "user-auth". Just set some type of constraint. Since you mention any valid certificate, set it for your ca  that issues the client  certificates and test. You might want to run debug application sslvpn -1  to verify if you see issues or collect the fc logs.
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#25
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: (Computer) client certificate validation 2020/04/21 13:54:31 (permalink)
0
TBH I'm having trouble finding the configuration options I need to configure as to what you tell me to do.
 
Is it maybe because we are still on a 6.0 firmware? Some of the commands that are used in the article I posted earlier are not yet available on this built.
#26
emnoc
Expert Member
  • Total Posts : 6210
  • Scores: 435
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: (Computer) client certificate validation 2020/04/21 19:18:12 (permalink) ☄ Helpfulby Magion 2020/04/21 23:59:30
5 (1)
 
 
Here's what I'm talking about in auth-rule
 
 
 
config vpn ssl settings
 set reqclientcert enable
 set ssl-min-proto-ver tls1-1
 set servercert "Fortinet_Factory"
 set tunnel-ip-pools "SSLVPN_POOL_1"
 set port 8443
config authentication-rule
  edit 1
  set source-interface "wan1"
  set source-address "all"
  set users "user1"
  set portal "full-access"
  set client-cert enable
  set user-peer "socpuppets"
  next
 end
end
 
The set user-peer is your  CA with or without the subject 
 
 
 
 
 
 
 

PCNSE 
NSE 
StrongSwan  
#27
emnoc
Expert Member
  • Total Posts : 6210
  • Scores: 435
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: (Computer) client certificate validation 2020/04/21 20:48:20 (permalink) ☄ Helpfulby Magion 2020/04/21 23:59:26
0
Hey, I just wanted to say I test it by only using the CA and no cn or subject string so it worked  What I did was use the web-acecs and firefox and called up a inferior certificate that did NOT match the "config user peer"
 
So if you are issuing certificates from a privateCA, just 1> import the ca into  the firewall 2> sign all users with that CA >3 and set a "config user peer" and finally use that peer in the auth-rule.
 
It should work and lock down the sslvpn. If the client presents no certificate or a certficate that is not signed by the CA you defined , the ssl will reject that connect. You will see this on a "diag debug application sslvpnd -1"
 
e.g 
 
[23346:root:3b]rmt_web_auth_info_parser_common:470 no session id in auth info
[23346:root:3b]rmt_web_access_check:723 access failed, uri=[/remote/logincheck],ret=4103,
[23346:root:3b]User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
[23346:root:3b]rmt_logincheck_cb_handler:1189 user 'user1' has a matched local entry.
[23346:root:3b]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.
[23346:root:3b]sslvpn_auth_check_usrgroup:2145 got user (1) group (0:0).
[23346:root:3b]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (1), realm ().
[23346:root:3b]sslvpn_validate_user_group_list:1690 checking rule 1 cipher.
[23346:root:3b]sslvpn_validate_user_group_list:1698 checking rule 1 realm.
[23346:root:3b]sslvpn_validate_user_group_list:1709 checking rule 1 source intf.
[23346:root:3b]sslvpn_validate_user_group_list:1730 checking rule 1 source address.
[23346:root:3b]sslvpn_validate_user_group_list:1845 rule 1 done, got user (1:1) group (0:0) peer group (0).
[23346:root:3b]sslvpn_validate_user_group_list:1963 got user (1:1), group (0:0) peer group (0).
[23346:root:3b]fam_cert_send_req:808 do certificate peer check first(2).
[23346:root:3b]doing certificate checking for 1 peer(s).
[23346:root:3b]sslvpn_update_user_group_list:1579 Remove user(s) which has set user-peer (1).
[23346:root:3b]sslvpn_update_user_group_list:1595 got user (0:0), group (0:0), peer group (0) after update.
[23346:root:3b]__auth_cert_cb:939 no valid user/group candidate found.
 
 

PCNSE 
NSE 
StrongSwan  
#28
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: (Computer) client certificate validation 2020/04/21 23:59:18 (permalink)
0
Unfortunately "set user-peer" is not available with firmware 6.0.5.
(edit: just checked, this command was added in 6.2.2)
 
Some time ago we decided not to upgrade (and to be honest right now I'm glad we didn't after seeing so many people complain about rdp/tcp disconnects with sslvpn), but I think we will have to reconsider if we want to fix the client certificate issue.
 
Thanks so far for all the help en info!
 
 
post edited by Magion - 2020/04/22 00:26:03
#29
emnoc
Expert Member
  • Total Posts : 6210
  • Scores: 435
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: (Computer) client certificate validation 2020/04/22 07:17:56 (permalink)
0
I'm really surprise it's not in 6.0.x. What I retested last night was  done  in 6.2.3 btw. So that cfg works if you want to locked down sslvpn and with client-certificate that he/she selects within the fclient. We have contractors that are using Android FC users and this works very good btw.
 
I would look at upgrading, 6.2.x is pretty much stable and unless your on some oldstuff, you should upgrade. I'm holding out for a few 6.4.x maintenance releases to come out before we even tackle 6.4. in production.
 
Ken Felix
 
 

PCNSE 
NSE 
StrongSwan  
#30
boneyard
Gold Member
  • Total Posts : 413
  • Scores: 20
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: (Computer) client certificate validation 2020/04/23 11:16:33 (permalink)
0
[edit] ignore all that if you read it
 
doesnt work as expected. the setup with putting remote auth server and user peer in one group allows for a certificate from another CA as long as your remote auth then passes.
 
in the end it seems like this simply isn't possible correctly against remote auth in 6.0. it seems to work if you use the right credentials and client certificate. but you are able to use combinations which shouldn't be possible.
post edited by boneyard - 2020/04/23 11:26:37
#31
emnoc
Expert Member
  • Total Posts : 6210
  • Scores: 435
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: (Computer) client certificate validation 2020/04/23 11:52:07 (permalink)
0
I don't follow you, but if you want to control the client-certificate that is accept you need a peerid and set that in a authentication rule and that works. I will write a post on my blog about that.  This will locked down the ssl vpn client from presenting any certificate but one issued by your defined CA.
 
I just didn't realize this is only available in v6.2.x or higher.
 
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#32
boneyard
Gold Member
  • Total Posts : 413
  • Scores: 20
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: (Computer) client certificate validation 2020/04/23 11:54:18 (permalink)
0
thanks Ken, i saw the way it will work in 6.2
 
i was still trying to get it to work in 6.0 to understand how things worked there. i thought i had a working solution and then found out i missed something.
 
so all good.
#33
Agent 1994
Silver Member
  • Total Posts : 81
  • Scores: 10
  • Reward points: 0
  • Joined: 2016/08/03 09:15:51
  • Location: Rosario, Santa Fe, Argentina
  • Status: offline
Re: (Computer) client certificate validation 2020/04/24 07:26:29 (permalink) ☄ Helpfulby Magion 2020/04/28 06:42:32
0
Magion,
 
 I did something like this in my lab. All the users are Active Directory users:
 
config user peer
    edit "peer1"
        set ca "home_lab"
        set subject ".hydra.local"
    next
end
 
 In plain english, this is "certificate must belong to the home_lab CA and it's subject must have .hydra.local". The latter is the FQDN matching trick I told you.
 
 Next I created a realm "portal1" and did this:
 
config user ldap
    edit "DC"
        set server "dc.home.lab"
        set cnid "userPrincipalName"
        set dn "dc=home,dc=lab"
        set type regular
        set username "HOME\\fortigateLDAP"
        set password [removed]
    next
end
 
config user group
    edit "vpn"
        set member "DC"
        config match
            edit 1
                set server-name "DC"
                set group-name "CN=VPN,OU=User Accounts,DC=home,DC=lab"
            next
        end
    next
end
 
config vpn ssl settings
    config authentication-rule
        edit 1
            set groups "vpn"
            set portal "full-access"
            set realm "portal1"
            set client-cert enable
            set user-peer "peer1"
        next
    end
end
 
 The test were:
  • user + no certificate: fail
  • user + any user certificate from home_lab CA: fail
  • user + any computer certificate from home_lab CA: works
  • user (wrong credentials) + any computer certificate from home_lab CA: fail
  • user + any certificate from a CA other than home_lab: fail
 Hope this helps
 
Max
#34
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: (Computer) client certificate validation 2020/04/28 06:46:41 (permalink)
0
Thank you for the example. Will keep this in mind...

mkolus
Set user-peer "peer1"


But as I found out, unfortunately set peer-user was added in 6.2.2 while we are still on 6.0.5. So I have to wait until I can safely upgrade.


#35
Tiago Aquino
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/12 13:08:20
  • Status: offline
Re: (Computer) client certificate validation 2021/04/13 13:03:06 (permalink)
0
emnoc
The set user-peer is your  CA with or without the subject 

That was the catch for me... I was facing the same problem with ldap.. Thank you so much for replying to this post..
 
Now it's working:
config user peer
    edit "VPNSSL_USER_PEER"
        set ca "G_CA_Cert_1"
    next
end

config user group
    edit "VPNSSL_USER_GROUP"
        set member "ldap_server"
        config match
            edit 1
                set server-name "ldap_server"
                set group-name "cn=some_group,ou=vpn,ou=app,ou=grp,ou=acc,O=org,C=cc"
            next
        end
    next
end
config vpn ssl settings
    set servercert "cert"
    set source-interface "wan1"
    set default-portal "web-access"
    config authentication-rule
        edit 1
            set groups "VPNSSL_USER_GROUP"
            set portal "full-access"
            set client-cert enable
            set user-peer "VPNSSL_USER_PEER"
        next
    end
end

 



How come the only place I found the answer is a forum? We should have a KB about it..
 
 
#36
garyhope
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/09/13 03:54:57
  • Status: offline
Re: (Computer) client certificate validation 2021/09/13 04:06:08 (permalink)
0
I have the same issue with the VPN and want to be able to use Computer certs (before login) as well as user certs.  The config I current have only works for user certs:
 
config user peer
edit "user1"
set ca "csf_CA_Cert_1"
set ldap-server "testLDAP"
set ldap-mode principal-name
next
end

config user group
edit "sslvpn-group"
set member "testLDAP" "user1"
config match
edit 1
set server-name "testLDAP"
set group-name "CN=sslvpn-1,OU=Groups,OU=test,DC=test,DC=local"
next
edit 2
set server-name "testLDAP"
set group-name "CN=sslvpn-nc,OU=Groups,OU=test,DC=test,DC=local"
next
end


 
config vpn ssl settings
set reqclientcert enable
set servercert "Web"
set default-portal "Portal"
config authentication-rule
edit 1
set groups "sslvpn-group"
set portal "Portal"
next
end
end
 
However if I change it to:
 
 
config user peer
edit "user1"
set ca "csf_CA_Cert_1"
next
end
 
config user group
edit "sslvpn-group"
set member "test-LDAP"
config match
edit 1
set server-name "test-LDAP"
set group-name "CN=sslvpn-1,OU=Groups,OU=test,DC=test,DC=local"
next
edit 2
set server-name "test-LDAP"
set group-name "CN=sslvpn-nc,OU=Groups,OU=test,DC=test,DC=local"
next
end
next
end

config vpn ssl settings
set servercert "WebCert"

set default-portal "Portal"
config authentication-rule
edit 1
set groups "sslvpn-group"
set portal "Portal"
set client-cert enable
set user-peer "user1"
next
end
end
 
It does not work for either user or computer certs.  Could someone please advise?
 
many thanks
 
#37
Page: < 12 Showing page 2 of 2
Jump to:
© 2021 APG vNext Commercial Version 5.5