Helpful ReplyHot!VPNSSL: Two factor LDAP + Certificate

Author
gpinero
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/16 06:58:04
  • Location: Spain
  • Status: offline
2020/05/29 04:16:51 (permalink)
0

VPNSSL: Two factor LDAP + Certificate

Is possible to do it in VPNSSL? Client certificate plus LDAP username and password for authentication.
 
And a bit more complex, Cliente certificate match UPN with LDAP username. Cliente certificate is only valid for the user that is trying to authenticate throught VPN.
 
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-certificate-authentication
 
Thanks
 
#1
emnoc
Expert Member
  • Total Posts : 5769
  • Scores: 375
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: VPNSSL: Two factor LDAP + Certificate 2020/05/29 07:33:16 (permalink)
0
Yes you could do that, the two are mutually linked tho. The certificate is validated by your auth-rule and the remote-auth LDAP in your case would look at the user+password.
 
You can even do cert+remote-auth+otp if you want ( example using duo for the otp ) 
 
http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html
 
Basically that above eliminates fortitoken. So if you have a mfa platform like DUO you do NOT need to add additional by maintaining fortitoken,
 
Ken Felix
 
post edited by emnoc - 2020/05/29 07:34:32

PCNSE 
NSE 
StrongSwan  
#2
gpinero
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/16 06:58:04
  • Location: Spain
  • Status: offline
Re: VPNSSL: Two factor LDAP + Certificate 2020/05/29 08:48:43 (permalink)
0
Hi , enmoc

 
I have PrivacyIDEA +TOTP working without issues for tunnel mode but now 
I'd like to achieve client cert + active directory auth (LDAP) 2 factor only for Web mode.
 
In summary I have two scenarios:
 
1- One realm /corp using PrivacyIDEA with LDAP auth + TOTP. Using Radius as auth server (PI)
 
2- Default realm / auth using cert + LDAP but not working using this guide
 
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-certificate-authentication 
 
As you said, with this guide I can check that client cert is valid only for this user (UserPrincipalName) right?
 
What is the second factor applied here? LDAP user+password?
My problem is that user with valid certificate can login to SSLVPN portal only with certificate, login password is never prompted.
 
Thanks for you help.
Best regards.
#3
emnoc
Expert Member
  • Total Posts : 5769
  • Scores: 375
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: VPNSSL: Two factor LDAP + Certificate 2020/05/29 09:27:47 (permalink)
0
How is your auth-rule define per each realm? I would also do the "diag debug sslvpn" and review the messages to see what and if any errors. If you do use peer or peergroups  that would also being good
 
Can you dump the subject line of one the user-certificates so we can see the structure ( just sanitize it )
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#4
emnoc
Expert Member
  • Total Posts : 5769
  • Scores: 375
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: VPNSSL: Two factor LDAP + Certificate 2020/05/29 12:52:14 (permalink)
5 (1)
Okay I tested my  env by exporting my user certificate and then building a "peer" using that information extracted from my user-cert
 
kenfelix@Socpuppets:~$ openssl x509 -in myuser-certs.cer -inform der -subject -noout
subject= /O=Socpuppets/CN=KenFelix
 
 
You can call up the CA and CN value but that would be disastrous in a big org with hundreds of end-user certificates. The better approach would be to sign all user-certificate off a unique ca-chain and then use that in the peer  
 
config user peer
 edit "vpn_users_corp"
 set ca "CA_Cert_145"
 # that ca would be the one issuing on user-certificates
next
end
 
And in the auth-rules you use that in you validation
 
 
config authentication-rule
edit 16
set source-interface "wan1"
set source-address "all"
set groups "vpnusers-trest"
set portal "full-access"
set realm "corpvpn"
set client-cert enable
set user-peer "vpn_users_corp"
next
 
Here's a post i made about realm that shows how we set realms
 
http://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html
 
 
I also have a hunch you could also use the subLaternative name value in the peer also. You would have to playaround with it. I never tried but I know it would work.
 
/* example by using the email ALtName type
 
 
e.g
     email:kfelix@example.com
 
and the peer
 
config user peer
edit "email-altName"
set ca "CA_Cert_145"
set cn "kfelix@example.com"
set cn-type email
next
end
 
Give that a try with a single user and then figure out how to do it corp wide , but a separate chain for issuing user certs would be the best path imho. Than you only have to write one peer and match certificate issued. If cert-revocation is used,you can kill vpn access by signing a revocation.
 
We do that but we do not use windows MS-CA so I'm no 100% sure of it limits with user cert issuances.
 
 
YMMV 
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#5
woodsy76
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/07/29 01:55:49
  • Status: offline
Re: VPNSSL: Two factor LDAP + Certificate 2020/07/29 02:15:34 (permalink)
0
@gpinero
Did you manage to get this working in your environment?
 
Thanks
 
 
#6
gpinero
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/16 06:58:04
  • Location: Spain
  • Status: offline
Re: VPNSSL: Two factor LDAP + Certificate 2020/07/29 04:03:57 (permalink) ☄ Helpfulby woodsy76 2020/07/29 04:12:51
0
Hi, yes... you can check this post for 2FA using PI
https://www.error509.com/2020/05/fortigate-2fa-con-freeradius-y-privacyidea/
 
About UPN and check thin in user certificate is not possible with Fortigate, unless you manually enter all the users into Fortigate (as user peer how enmoc said) , which is not highly recommended if you're using LDAP.
 
 
#7
woodsy76
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/07/29 01:55:49
  • Status: offline
Re: VPNSSL: Two factor LDAP + Certificate 2020/07/29 04:16:01 (permalink)
0
@gponero
Thanks for the information.
#8
Jump to:
© 2020 APG vNext Commercial Version 5.5