Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.5 Administration Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    RADIUS integrated certificate authentication for SSL VPN

    RADIUS integrated certificate authentication for SSL VPN

    Secure connections to SSL VPNs can be established using certificate-based authentication. Access can be granted to the user by using the content inside the Subject Alternative Name (SAN) of the user certificate to authenticate to the RADIUS server. An extra layer of security is added by ensuring that only users with valid certificates can access the VPN.

    Certificate-based authentication with RADIUS supports UserPrincipalName (UPN), RFC822 Name (corporate email address) defined in the SAN extension of the certificate, the DNS defined in the user certificate as the unique identifier in the SAN field for peer user certificates, and the Subject Common Name (CN) defined in the certificate.

    config user radius
    edit <name>
        set account-key-processing {same | strip}
        set account-key-cert-field {othername | rfc822name | dnsname | cn}
    next
end

    account-key-processing {same | strip}

    Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity.

    • same: Same as subject identity field (default).

    • strip: Strip domain string from subject identity field.

    account-key-cert-field {othername | rfc822name | dnsname}

    Define subject identity field in certificate for user access right checking.

    • othername: match to UPN in SAN (default).

    • rfc822name: match to RFC822 email address in SAN.

    • dnsname: match to DNS name in SAN.

    • cn: match to CN in subject.

    The RADIUS server configurations are applied to the user peer configuration when the PKI user is configured.

    config user peer
    edit <name>
        set ca <string>
        set subject <string>
        set cn <string>
        set mfa-mode subject-identity
        set mfa-server <string>
    next
end

    When a user authenticates to FortiGate over SSL VPN, the user presents a user certificate signed by a trusted CA to FortiGate. This CA should also be trusted by the FortiGate. See CA certificate for more information about importing a CA certificate to FortiGate trusted CA store. The following sequence of events occurs as the FortiGate processes the certificate for authentication:

    1. The FortiGate checks whether the certificate is issued by a trusted CA. If the CA is not a public CA, FortiGate ensures that the CA certificate is uploaded and trusted by the FortiGate, and applies it to the user peer configurations (set ca <string>).

    2. The FortiGate verifies that the CN field of the certificate matches the CN specified in the user peer configurations (set cn <string>).

    3. If the user peer configuration has mfa-mode set to subject-identity and the mfa-server is configured, then the FortiGate uses a unique identifier in the certificate to authenticate against the RADIUS server.

      • If account-key-cert-field is set to othername (the default setting), then the FortiGate uses the UPN in the certificate's SAN field to authenticate against RADIUS.

      • If account-key-cert-field is set to rfc822name, then the FortiGate uses the RFC822 Name in the certificate's SAN field to authenticate against RADIUS.

      • If account-key-cert-field is set to dnsname, then the FortiGate uses the DNS name in the certificate's SAN field to authenticate against RADIUS.

      • If account-key-cert-field is set to cn, then the FortiGate uses the CN in the certificate's subject to authenticate against RADIUS.

    Note

    Some RADIUS servers do not require a password in an Access Request, while others need a valid password to return an ACCESS ACCEPT. If your RADIUS server requires a valid password to return an ACCESS ACCEPT, then you can configure an MFA password for each peer user using the set mfa-password command.

    When you configure a user MFA password in a user peer, you must need to have a user peer configuration on the FortiGate for each user with cn=USER.

    Example

    In this example, a user certificate is issued to a user by a customer’s CA. The certificate is used to authenticate the user to the SSL VPN web portal. The administrator uses the RFC822 Name in the SAN field to authenticate against their corporate RADIUS. The Active Directory mail attribute is used to check against the RFC822 Name field.

    The configuration used in this example assumes the following:

    • The CA certificate has already been uploaded to the FortiGate.

    • SSL VPN has already been configured, pending the assignment of the PKI user group.

    To configure the authentication settings:

    1. Configure the RADIUS server:

      config user radius
    edit "NPS-MFA"
        set server "172.18.60.214"
        set secret  XXXXXXXXXX
        set auth-type pap
        set password-encoding ISO-8859-1
        set account-key-processing strip               
        set account-key-cert-field rfc822name       
    next
end

    2. Configure the local peer user:

      config user peer
    edit "peer2"
        set ca "CA_Cert_1"
        set subject "L = Burnaby"
        set cn "test2"
        set mfa-mode subject-identity
        set mfa-server "NPS-MFA"
    next
end

    3. Configure the firewall user group for SSL VPN authentication:

      config user group
    edit "sslvpn-mfa"
        set member  "peer2"
    next
end

    4. Apply the user group to the SSL VPN configuration and firewall policy.

    To verify the configuration:

    When a user authenticates to Web mode SSL VPN using their browser, the FortiOS fnbamd daemon first validates the certificate supplied by the user. If the certificate check is successful, the information in the SAN field of the user certificate is used to find a matching user record on the RADIUS server. See SSL VPN web mode for information about configuring web mode SSL VPN.

    Previous
    Next

    RADIUS integrated certificate authentication for SSL VPN

    RADIUS integrated certificate authentication for SSL VPN

    Secure connections to SSL VPNs can be established using certificate-based authentication. Access can be granted to the user by using the content inside the Subject Alternative Name (SAN) of the user certificate to authenticate to the RADIUS server. An extra layer of security is added by ensuring that only users with valid certificates can access the VPN.

    Certificate-based authentication with RADIUS supports UserPrincipalName (UPN), RFC822 Name (corporate email address) defined in the SAN extension of the certificate, the DNS defined in the user certificate as the unique identifier in the SAN field for peer user certificates, and the Subject Common Name (CN) defined in the certificate.

    config user radius
    edit <name>
        set account-key-processing {same | strip}
        set account-key-cert-field {othername | rfc822name | dnsname | cn}
    next
end

    account-key-processing {same | strip}

    Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity.

    • same: Same as subject identity field (default).

    • strip: Strip domain string from subject identity field.

    account-key-cert-field {othername | rfc822name | dnsname}

    Define subject identity field in certificate for user access right checking.

    • othername: match to UPN in SAN (default).

    • rfc822name: match to RFC822 email address in SAN.

    • dnsname: match to DNS name in SAN.

    • cn: match to CN in subject.

    The RADIUS server configurations are applied to the user peer configuration when the PKI user is configured.

    config user peer
    edit <name>
        set ca <string>
        set subject <string>
        set cn <string>
        set mfa-mode subject-identity
        set mfa-server <string>
    next
end

    When a user authenticates to FortiGate over SSL VPN, the user presents a user certificate signed by a trusted CA to FortiGate. This CA should also be trusted by the FortiGate. See CA certificate for more information about importing a CA certificate to FortiGate trusted CA store. The following sequence of events occurs as the FortiGate processes the certificate for authentication:

    1. The FortiGate checks whether the certificate is issued by a trusted CA. If the CA is not a public CA, FortiGate ensures that the CA certificate is uploaded and trusted by the FortiGate, and applies it to the user peer configurations (set ca <string>).

    2. The FortiGate verifies that the CN field of the certificate matches the CN specified in the user peer configurations (set cn <string>).

    3. If the user peer configuration has mfa-mode set to subject-identity and the mfa-server is configured, then the FortiGate uses a unique identifier in the certificate to authenticate against the RADIUS server.

      • If account-key-cert-field is set to othername (the default setting), then the FortiGate uses the UPN in the certificate's SAN field to authenticate against RADIUS.

      • If account-key-cert-field is set to rfc822name, then the FortiGate uses the RFC822 Name in the certificate's SAN field to authenticate against RADIUS.

      • If account-key-cert-field is set to dnsname, then the FortiGate uses the DNS name in the certificate's SAN field to authenticate against RADIUS.

      • If account-key-cert-field is set to cn, then the FortiGate uses the CN in the certificate's subject to authenticate against RADIUS.

    Note

    Some RADIUS servers do not require a password in an Access Request, while others need a valid password to return an ACCESS ACCEPT. If your RADIUS server requires a valid password to return an ACCESS ACCEPT, then you can configure an MFA password for each peer user using the set mfa-password command.

    When you configure a user MFA password in a user peer, you must need to have a user peer configuration on the FortiGate for each user with cn=USER.

    Example

    In this example, a user certificate is issued to a user by a customer’s CA. The certificate is used to authenticate the user to the SSL VPN web portal. The administrator uses the RFC822 Name in the SAN field to authenticate against their corporate RADIUS. The Active Directory mail attribute is used to check against the RFC822 Name field.

    The configuration used in this example assumes the following:

    • The CA certificate has already been uploaded to the FortiGate.

    • SSL VPN has already been configured, pending the assignment of the PKI user group.

    To configure the authentication settings:

    1. Configure the RADIUS server:

      config user radius
    edit "NPS-MFA"
        set server "172.18.60.214"
        set secret  XXXXXXXXXX
        set auth-type pap
        set password-encoding ISO-8859-1
        set account-key-processing strip               
        set account-key-cert-field rfc822name       
    next
end

    2. Configure the local peer user:

      config user peer
    edit "peer2"
        set ca "CA_Cert_1"
        set subject "L = Burnaby"
        set cn "test2"
        set mfa-mode subject-identity
        set mfa-server "NPS-MFA"
    next
end

    3. Configure the firewall user group for SSL VPN authentication:

      config user group
    edit "sslvpn-mfa"
        set member  "peer2"
    next
end

    4. Apply the user group to the SSL VPN configuration and firewall policy.

    To verify the configuration:

    When a user authenticates to Web mode SSL VPN using their browser, the FortiOS fnbamd daemon first validates the certificate supplied by the user. If the certificate check is successful, the information in the SAN field of the user certificate is used to find a matching user record on the RADIUS server. See SSL VPN web mode for information about configuring web mode SSL VPN.

    Previous
    Next