Fortinet black logo

Administration Guide

Using the SAN field for LDAP-integrated certificate authentication

Using the SAN field for LDAP-integrated certificate authentication

Certificate-based authentication against Active Directory LDAP (AD LDAP) supports the UserPrincipalName (UPN), RFC 822 Name (corporate email address) defined in the Subject Alternative Name (SAN) extension of the certificate, and the DNS defined in the user certificate as the unique identifier in the SAN field for peer user certificates.

config user ldap
    edit <name>
        set account-key-cert-field {othername | rfc822name | dnsname}
    next
end

account-key-cert-field {othername | rfc822name | dnsname}

Define subject identity field in certificate for user access right checking:

  • othername: match to UPN on AD LDAP server (default)
  • rfc822name: match to RFC 822 email address
  • dnsname: match to DNS name

The LDAP server configurations are applied to the user peer configuration when the PKI user is configured.

config user peer
    edit <name>
        set ca <string>
        set cn <string>
        set mfa-server <string>
        set mfa-mode subject-identity
    next
end

When a user authenticates to the FortiGate for an administrative log in, SSL VPN, IPsec dialup, or firewall authentication using a user certificate, it presents a signed certificate issued by a trusted CA to the FortiGate. The following sequence of events occurs as the FortiGate processes the certificate for authentication:

  1. The FortiGate verifies if the certificate is issued by a trusted CA. If the CA is not a public CA, ensure that the CA certificate is uploaded and trusted by the FortiGate, and is applied to the user peer configurations (set ca <string>).

  2. The FortiGate verifies that the CN field of the certificate matches the CN specified in the user peer configurations (set cn <string>).

  3. If the user peer configuration has mfa-server configured and the mfa-mode is set to subject-identity, the FortiGate uses the unique identifier in the certificate to authenticate against the LDAP server.

    1. If set account-key-cert-field othername is configured (the default setting), the FortiGate uses the UPN in the certificate’s SAN field to authenticate against LDAP.

    2. If set account-key-cert-field rfc822name is configured, the FortiGate uses the RFC 822 Name in the certificate’s SAN field to authenticate against LDAP.

    3. If set account-key-cert-field dnsname is configured, the FortiGate uses the DNS name in the certificate to authenticate against LDAP.

  4. By default, the FortiGate tries to match the UserPrincipleName (UPN) attribute on the AD LDAP. If this needs to be changed to another field, configure the account-key-filter setting on the LDAP configuration:

    config user ldap
        edit <name>
            set account-key-filter <string> 
        next
    end
Caution

When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials.

Example

In this example, a user certificate is issued by a customer’s CA to a user. The user uses this certificate to authenticate to the SSL VPN web portal. The administrator decides to use the RFC 822 Name in the SAN field to authenticate against their corporate AD LDAP. The Active Directory attribute to check against the RFC 822 Name field is the mail attribute.

User certificate information:

The configuration used in this example assumes the following:

  • The CA certificate has already been uploaded to the FortiGate.

  • The SSL VPN configurations have already been configured, pending the assignment of the PKI user group.

To configure the authentication settings:
  1. Configure the LDAP server:

    config user ldap
        edit "ad-ldap-peer-user"
            set server "10.1.100.131"
            set cnid "cn"
            set dn "dc=fortinet-fsso,dc=com"
            set type regular
            set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
            set password ENC XXXXXXXXXXXXXXXXX
            set password-renewal enable
            set account-key-cert-field rfc822name 
            set account-key-filter "(&(mail=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
        next
    end

    By default, the account-key-filter filters on the UPN attribute uses the following string: (&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))).

    • (userPrincipalName=%s) matches the UPN attribute on the AD LDAP.

    • (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) filters out inactive and locked AD accounts.

  2. Configure the local peer user:

    config user peer
        edit "peer-RFC822-name"
            set ca "CA_Cert_2"
            set cn "test2"  
            set mfa-server "ad-ldap-peer-user"
            set mfa-mode subject-identity
        next
    end
  3. Configure the firewall user group for SSL VPN authentication:

    config user group
        edit "vpn-group"
            set member "peer-RFC822-name"
        next
    end
  4. Apply the user group to the SSL VPN configuration and firewall policy.

Verification

When the SSL VPN user authenticates in a browser, the FortiOS fnbamd daemon first validates the certificate supplied by the user. If the certificate check is successful, the information in the SAN field of the user certificate is used to find a matching user record on the AD LDAP.

To verify the configuration:
# diagnose debug app fnbamd -1
# diagnose debug enable

The output includes the following information.

  • Validate the certificate:

    ...
        __check_crl-***CERTIFICATE IS GOOD***
    [567] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
    [500] fnbamd_cert_verify-Following cert chain depth 1
    [675] fnbamd_cert_check_group_list-checking group with name 'vpn-group'
    [490] __check_add_peer-check 'peer-RFC822-name'
    [366] peer_subject_cn_check-Cert subject 'C = CA, ST = BC, L = Burnaby, CN = test2'
    [294] __RDN_match-Checking 'CN' val 'test2' -- match.
    [404] peer_subject_cn_check-CN is good.
    
  • Bind to LDAP and try to match the content of the SAN in the user certificate with the user record in the AD LDAP:

    ...
    _cert_ldap_query-LDAP query, idx 0
    [448] __cert_ldap_query-UPN = 'test2@fortinet-fsso.com'
    [1717] fnbamd_ldap_init-search filter is: (&(mail=test2@fortinet-fsso.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
    
  • Confirm the successful match:

    ...    
         __cert_ldap_query_cb-LDAP ret=0, server='ad-ldap-peer-user', req_id=269178889
    [388] __cert_ldap_query_cb-Matched peer 'peer-RFC822-name'
    ...
    [1066] fnbamd_cert_auth_copy_cert_status-req_id=269178889
    [1074] fnbamd_cert_auth_copy_cert_status-Matched peer user 'peer-RFC822-name'
    [833] fnbamd_cert_check_matched_groups-checking group with name 'vpn-group'
    [895] fnbamd_cert_check_matched_groups-matched
    [1193] fnbamd_cert_auth_copy_cert_status-Cert st 290, req_id=269178889
    [209] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 269178889, len=2155
    

Using the SAN field for LDAP-integrated certificate authentication

Certificate-based authentication against Active Directory LDAP (AD LDAP) supports the UserPrincipalName (UPN), RFC 822 Name (corporate email address) defined in the Subject Alternative Name (SAN) extension of the certificate, and the DNS defined in the user certificate as the unique identifier in the SAN field for peer user certificates.

config user ldap
    edit <name>
        set account-key-cert-field {othername | rfc822name | dnsname}
    next
end

account-key-cert-field {othername | rfc822name | dnsname}

Define subject identity field in certificate for user access right checking:

  • othername: match to UPN on AD LDAP server (default)
  • rfc822name: match to RFC 822 email address
  • dnsname: match to DNS name

The LDAP server configurations are applied to the user peer configuration when the PKI user is configured.

config user peer
    edit <name>
        set ca <string>
        set cn <string>
        set mfa-server <string>
        set mfa-mode subject-identity
    next
end

When a user authenticates to the FortiGate for an administrative log in, SSL VPN, IPsec dialup, or firewall authentication using a user certificate, it presents a signed certificate issued by a trusted CA to the FortiGate. The following sequence of events occurs as the FortiGate processes the certificate for authentication:

  1. The FortiGate verifies if the certificate is issued by a trusted CA. If the CA is not a public CA, ensure that the CA certificate is uploaded and trusted by the FortiGate, and is applied to the user peer configurations (set ca <string>).

  2. The FortiGate verifies that the CN field of the certificate matches the CN specified in the user peer configurations (set cn <string>).

  3. If the user peer configuration has mfa-server configured and the mfa-mode is set to subject-identity, the FortiGate uses the unique identifier in the certificate to authenticate against the LDAP server.

    1. If set account-key-cert-field othername is configured (the default setting), the FortiGate uses the UPN in the certificate’s SAN field to authenticate against LDAP.

    2. If set account-key-cert-field rfc822name is configured, the FortiGate uses the RFC 822 Name in the certificate’s SAN field to authenticate against LDAP.

    3. If set account-key-cert-field dnsname is configured, the FortiGate uses the DNS name in the certificate to authenticate against LDAP.

  4. By default, the FortiGate tries to match the UserPrincipleName (UPN) attribute on the AD LDAP. If this needs to be changed to another field, configure the account-key-filter setting on the LDAP configuration:

    config user ldap
        edit <name>
            set account-key-filter <string> 
        next
    end
Caution

When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials.

Example

In this example, a user certificate is issued by a customer’s CA to a user. The user uses this certificate to authenticate to the SSL VPN web portal. The administrator decides to use the RFC 822 Name in the SAN field to authenticate against their corporate AD LDAP. The Active Directory attribute to check against the RFC 822 Name field is the mail attribute.

User certificate information:

The configuration used in this example assumes the following:

  • The CA certificate has already been uploaded to the FortiGate.

  • The SSL VPN configurations have already been configured, pending the assignment of the PKI user group.

To configure the authentication settings:
  1. Configure the LDAP server:

    config user ldap
        edit "ad-ldap-peer-user"
            set server "10.1.100.131"
            set cnid "cn"
            set dn "dc=fortinet-fsso,dc=com"
            set type regular
            set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
            set password ENC XXXXXXXXXXXXXXXXX
            set password-renewal enable
            set account-key-cert-field rfc822name 
            set account-key-filter "(&(mail=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
        next
    end

    By default, the account-key-filter filters on the UPN attribute uses the following string: (&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))).

    • (userPrincipalName=%s) matches the UPN attribute on the AD LDAP.

    • (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) filters out inactive and locked AD accounts.

  2. Configure the local peer user:

    config user peer
        edit "peer-RFC822-name"
            set ca "CA_Cert_2"
            set cn "test2"  
            set mfa-server "ad-ldap-peer-user"
            set mfa-mode subject-identity
        next
    end
  3. Configure the firewall user group for SSL VPN authentication:

    config user group
        edit "vpn-group"
            set member "peer-RFC822-name"
        next
    end
  4. Apply the user group to the SSL VPN configuration and firewall policy.

Verification

When the SSL VPN user authenticates in a browser, the FortiOS fnbamd daemon first validates the certificate supplied by the user. If the certificate check is successful, the information in the SAN field of the user certificate is used to find a matching user record on the AD LDAP.

To verify the configuration:
# diagnose debug app fnbamd -1
# diagnose debug enable

The output includes the following information.

  • Validate the certificate:

    ...
        __check_crl-***CERTIFICATE IS GOOD***
    [567] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
    [500] fnbamd_cert_verify-Following cert chain depth 1
    [675] fnbamd_cert_check_group_list-checking group with name 'vpn-group'
    [490] __check_add_peer-check 'peer-RFC822-name'
    [366] peer_subject_cn_check-Cert subject 'C = CA, ST = BC, L = Burnaby, CN = test2'
    [294] __RDN_match-Checking 'CN' val 'test2' -- match.
    [404] peer_subject_cn_check-CN is good.
    
  • Bind to LDAP and try to match the content of the SAN in the user certificate with the user record in the AD LDAP:

    ...
    _cert_ldap_query-LDAP query, idx 0
    [448] __cert_ldap_query-UPN = 'test2@fortinet-fsso.com'
    [1717] fnbamd_ldap_init-search filter is: (&(mail=test2@fortinet-fsso.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
    
  • Confirm the successful match:

    ...    
         __cert_ldap_query_cb-LDAP ret=0, server='ad-ldap-peer-user', req_id=269178889
    [388] __cert_ldap_query_cb-Matched peer 'peer-RFC822-name'
    ...
    [1066] fnbamd_cert_auth_copy_cert_status-req_id=269178889
    [1074] fnbamd_cert_auth_copy_cert_status-Matched peer user 'peer-RFC822-name'
    [833] fnbamd_cert_check_matched_groups-checking group with name 'vpn-group'
    [895] fnbamd_cert_check_matched_groups-matched
    [1193] fnbamd_cert_auth_copy_cert_status-Cert st 290, req_id=269178889
    [209] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 269178889, len=2155