- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- VPNSSL: Two factor LDAP + Certificate
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPNSSL: Two factor LDAP + Certificate
Is possible to do it in VPNSSL? Client certificate plus LDAP username and password for authentication.
And a bit more complex, Cliente certificate match UPN with LDAP username. Cliente certificate is only valid for the user that is trying to authenticate throught VPN.
Thanks
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, yes... you can check this post for 2FA using PI
https://www.error509.com/2020/05/fortigate-2fa-con-freeradius-y-privacyidea/
About UPN and check thin in user certificate is not possible with Fortigate, unless you manually enter all the users into Fortigate (as user peer how enmoc said) , which is not highly recommended if you're using LDAP.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you could do that, the two are mutually linked tho. The certificate is validated by your auth-rule and the remote-auth LDAP in your case would look at the user+password.
You can even do cert+remote-auth+otp if you want ( example using duo for the otp )
http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html
Basically that above eliminates fortitoken. So if you have a mfa platform like DUO you do NOT need to add additional by maintaining fortitoken,
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi , enmoc
I have PrivacyIDEA +TOTP working without issues for tunnel mode but now I'd like to achieve client cert + active directory auth (LDAP) 2 factor only for Web mode. In summary I have two scenarios: 1- One realm /corp using PrivacyIDEA with LDAP auth + TOTP. Using Radius as auth server (PI) 2- Default realm / auth using cert + LDAP but not working using this guide https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-cert... As you said, with this guide I can check that client cert is valid only for this user (UserPrincipalName) right? What is the second factor applied here? LDAP user+password? My problem is that user with valid certificate can login to SSLVPN portal only with certificate, login password is never prompted. Thanks for you help. Best regards.Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How is your auth-rule define per each realm? I would also do the "diag debug sslvpn" and review the messages to see what and if any errors. If you do use peer or peergroups that would also being good
Can you dump the subject line of one the user-certificates so we can see the structure ( just sanitize it )
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay I tested my env by exporting my user certificate and then building a "peer" using that information extracted from my user-cert
kenfelix@Socpuppets:~$ openssl x509 -in myuser-certs.cer -inform der -subject -noout subject= /O=Socpuppets/CN=KenFelix
You can call up the CA and CN value but that would be disastrous in a big org with hundreds of end-user certificates. The better approach would be to sign all user-certificate off a unique ca-chain and then use that in the peer
config user peer edit "vpn_users_corp" set ca "CA_Cert_145"
# that ca would be the one issuing on user-certificates next
end
And in the auth-rules you use that in you validation
config authentication-rule edit 16 set source-interface "wan1" set source-address "all" set groups "vpnusers-trest" set portal "full-access"
set realm "corpvpn" set client-cert enable set user-peer "vpn_users_corp" next
Here's a post i made about realm that shows how we set realms
http://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html
I also have a hunch you could also use the subLaternative name value in the peer also. You would have to playaround with it. I never tried but I know it would work.
/* example by using the email ALtName type
e.g
email:kfelix@example.com
and the peer
config user peer edit "email-altName" set ca "CA_Cert_145" set cn "kfelix@example.com" set cn-type email next end
Give that a try with a single user and then figure out how to do it corp wide , but a separate chain for issuing user certs would be the best path imho. Than you only have to write one peer and match certificate issued. If cert-revocation is used,you can kill vpn access by signing a revocation.
We do that but we do not use windows MS-CA so I'm no 100% sure of it limits with user cert issuances.
YMMV
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gpinero
Did you manage to get this working in your environment?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, yes... you can check this post for 2FA using PI
https://www.error509.com/2020/05/fortigate-2fa-con-freeradius-y-privacyidea/
About UPN and check thin in user certificate is not possible with Fortigate, unless you manually enter all the users into Fortigate (as user peer how enmoc said) , which is not highly recommended if you're using LDAP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gponero
Thanks for the information.
Related Posts
- Android phone forticlient vpn issue 560 Views
- PKI user - require specific Application... 268 Views
- After SSL-VPN Webmode authentication, https bookmark... 812 Views
- SSL VPN speed is very poor 431 Views
- convert certicate from .P12 to .PEM 709 Views
Labels
-
FortiGate
6,451 -
FortiClient
1,288 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.