RADIUS integrated certificate authentication for SSL VPN
Secure connections to SSL VPNs can be established using certificate-based authentication. Access can be granted to the user by using the content inside the Subject Alternative Name (SAN) of the user certificate to authenticate to the RADIUS server. An extra layer of security is added by ensuring that only users with valid certificates can access the VPN.
Certificate-based authentication with RADIUS supports UserPrincipalName (UPN), RFC 822 Name (corporate email address) defined in the SAN extension of the certificate, and the DNS defined in the user certificate as the unique identifier in the SAN field for peer user certificates.
config user radius edit <name> set account-key-processing {same | strip} set account-key-cert-field {othername | rfc822name | dnsname} next end
account-key-processing {same | strip} |
Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity.
|
account-key-cert-field {othername | rfc822name | dnsname} |
Define subject identity field in certificate for user access right checking.
|
The RADIUS server configurations are applied to the user peer configuration when the PKI user is configured.
config user peer edit <name> set ca <string> set subject <string> set cn <string> set mfa-mode subject-identity set mfa-server <string> next end
When a user authenticates to FortiGate over SSL VPN, the user presents a user certificate signed by a trusted CA to FortiGate. This CA should also be trusted by the FortiGate. See CA certificate for more information about importing a CA certificate to FortiGate trusted CA store. The following sequence of events occurs as the FortiGate processes the certificate for authentication:
-
The FortiGate checks whether the certificate is issued by a trusted CA. If the CA is not a public CA, FortiGate ensures that the CA certificate is uploaded and trusted by the FortiGate, and applies it to the user peer configurations (
set ca <string>
). -
The FortiGate verifies that the CN field of the certificate matches the CN specified in the user peer configurations (
set cn <string>
). -
If the user peer configuration has
mfa-mode
set tosubject-identity
and themfa-server
is configured, then the FortiGate uses the unique identifier in the certificate to authenticate against the RADIUS server.-
If
account-key-cert-field
is set toothername
(the default setting), then the FortiGate uses the UPN in the certificate's SAN field to authenticate against RADIUS. -
If
account-key-cert-field
is set torfc822name
, then the FortiGate uses the RFC 822 Name in the certificate's SAN field to authenticate against RADIUS. -
If
account-key-cert-field
is set todnsname
, then the FortiGate uses the DNS name in the certificate to authenticate against RADIUS.
-
Some RADIUS servers do not require a password in an Access Request, while others need a valid password to return an ACCESS ACCEPT. If your RADIUS server requires a valid password to return an ACCESS ACCEPT, then you can configure an MFA password for each peer user using the When you configure a user MFA password in a user peer, you must need to have a user peer configuration on the FortiGate for each user with |
Example
In this example, a user certificate is issued to a user by a customer’s CA. The certificate is used to authenticate the user to the SSL VPN web portal. The administrator uses the RFC 822 Name in the SAN field to authenticate against their corporate RADIUS. The Active Directory mail attribute is used to check against the RFC 822 Name field.
The configuration used in this example assumes the following:
-
The CA certificate has already been uploaded to the FortiGate.
-
SSL VPN has already been configured, pending the assignment of the PKI user group.
To configure the authentication settings:
-
Configure the RADIUS server:
config user radius edit "NPS-MFA" set server "172.18.60.214" set secret XXXXXXXXXX set auth-type pap set password-encoding ISO-8859-1 set account-key-processing strip set account-key-cert-field rfc822name next end
-
Configure the local peer user:
config user peer edit "peer2" set ca "CA_Cert_1" set subject "L = Burnaby" set cn "test2" set mfa-mode subject-identity set mfa-server "NPS-MFA" next end
-
Configure the firewall user group for SSL VPN authentication:
config user group edit "sslvpn-mfa" set member "peer2" next end
-
Apply the user group to the SSL VPN configuration and firewall policy.
To verify the configuration:
When a user authenticates to Web mode SSL VPN using their browser, the FortiOS fnbamd daemon first validates the certificate supplied by the user. If the certificate check is successful, the information in the SAN field of the user certificate is used to find a matching user record on the RADIUS server. See SSL VPN web mode for information about configuring web mode SSL VPN.