SSL VPN with LDAP-integrated certificate authentication

SSL VPN with LDAP-integrated certificate authentication

This topic provides a sample configuration of SSL VPN that requires users to authenticate using a certificate with LDAP UserPrincipalName checking.

This sample uses Windows 2012R2 Active Directory acting as both the user certificate issuer, the certificate authority, and the LDAP server.

Sample network topology

Sample configuration

In this sample, the UserPrincipal Name is included in the subject name of the issued certificate. This is the user field we use to search LDAP in the connection attempt.

To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user certificate is checked against the CA certificate to verify that they match.

Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s certificate, such as if a user no longer has VPN access.

To install the server certificate:

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication.

  1. Go to System > Feature Visibility and ensure Certificates is enabled.
  2. Go to System > Certificates and select Import > Local Certificate.

l Set Type to Certificate. l Choose the Certificate file and the Key file for your certificate, and enter the Password. l If desired, you can change the Certificate Name.

The server certificate now appears in the list of Certificates.

To install the CA certificate:

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

  1. Go to System > Certificates and select Import > CA Certificate.
  2. Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

To configure SSL VPN using the GUI:

  1. Configure the interface and firewall address.

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Port1 interface connects to the internal network.

  1. Go to Network > Interface and edit the wan1
  2. Set IP/Network Mask to 20.120.123/255.255.255.0.
  3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
  4. Click OK.
  5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
  1. Configure the LDAP server.
    1. Go to User& Device > LDAP Servers > Create New. l Specify Name and ServerIP/Name.

l Set Distinguished Name to dc=fortinet-fsso,dc=com. l Set Bind Type to Regular. l Set Username to cn=admin,ou=testing,dc=fortinet-fsso,dc=com. l Set password.

  1. Configure PKI users and a user group.

To use certificate authentication, PKI users must be created in the CLI. Use the CLI console to enter the following commands:

config user peer

edit user1

set ca CA_Cert_1 set ldap-server “ldap-AD” set ldap-mode principal-name

end

Now that you have created a PKI user, a new menu is added to the GUI. a. Go to User& Device > PKI to see the new user.

  1. Go to User& Device > User> UserGroups and create a group sslvpn-group.
  2. Add the PKI peer object you created as a local member of the group.
  3. Add a remote group on the LDAP server and select the group of interest. You need these users to be members using the LDAP browser window.
  1. Configure SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

  1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
  1. Configure SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. Choose proper Listen on Interface, in this example, wan1.
    3. Listen on Port 10443.
    4. Set ServerCertificate to the authentication certificate.
    5. Enable Require Client Certificate.
    6. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
    7. Create new Authentication/Portal Mapping for group sslvpn-group mapping portal full-access.
  2. Configure SSL VPN firewall policy.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
    4. Set the Source Address to all and Source User to sslvpn-group.
    5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
    6. Set Destination Address to the internal protected subnet 168.1.0.
    7. Set schedule to always, service to ALL, and Action to Accept.
    8. Enable NAT.
    9. Configure any remaining firewall and security options as desired.
    10. Click OK.

To configure SSL VPN using the CLI:

  1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

  1. Configure the LDAP server.

config user ldap edit “ldap-AD” set server “172.18.60.206” set cnid “cn”

set dn “dc=fortinet-fsso,dc=com”

set type regular

set username “cn=admin,ou=testing,dc=fortinet-fsso,dc=com” set password ldap-server-password

next

end

  1. Configure PKI users and a user group.

config user peer

edit user1

set ca CA_Cert_1 set ldap-server “ldap-AD” set ldap-mode principal-name

end

config user group edit “sslvpn-group” set member “ldap-AD” “test3” config match edit 1 set server-name “ldap-AD”

set group-name “CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM”

next end

next

end

  1. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

  1. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” set reqclientcert enable config authentication-rule edit 1 set groups “sslvpn-group” set portal “full-access”

next

end

  1. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpn-group” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of tunnel connection:

  1. Download FortiClient from forticlient.com.
  2. Open the FortiClient Console and go to Remote Access > Configure VPN.
  3. Add a new connection.
    • Set the connection name.
    • Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
  4. Select Customize Port and set it to 10443.
  5. Enable Client Certificate and select the authentication certificate.
  6. Save your settings.

Connecting to the VPN only requires the user’s certificate. It does not require username or password.

To see the results of web portal:

  1. In a web browser, log into the portal http://172.20.120.123:10443.

A message requests a certificate for authentication.

  1. Select the user certificate.

You can connect to the SSL VPN web portal.

To check the SSL VPN connection using the GUI:

  1. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
  2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
  3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the SSL VPN connection using the CLI:

Below is a sample output of diag debug app fnbamd -1 while the user connects. This is a shortened output sample of a few locations to show the important parts. This sample shows lookups to find the group memberships (three groups total) of the user and that the correct group being found results in a match.

[1148] fnbamd_ldap_recv-Response len: 16, svr: 172.18.60.206

[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result

[864] fnbamd_ldap_parse_response-ret=0

[1386] __fnbamd_ldap_primary_grp_next-Auth accepted

[910] __ldap_rxtx-Change state to ‘Done’

[843] __ldap_rxtx-state 23(Done)

[925] fnbamd_ldap_send-sending 7 bytes to 172.18.60.206

[937] fnbamd_ldap_send-Request is sent. ID 5

[753] __ldap_stop-svr ‘ldap-AD’

[53] ldap_dn_list_del_all-Del CN=test3,OU=Testing,DC=Fortinet-FSSO,DC=COM

[399] ldap_copy_grp_list-copied CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM

[399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=Fortinet-FSSO,DC=COM

[2088] fnbamd_auth_cert_check-Matching group ‘sslvpn-group’

[2007] __match_ldap_group-Matching server ‘ldap-AD’ – ‘ldap-AD’

[2015] __match_ldap_group-Matching group ‘CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM’ ‘CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM’

[2091] fnbamd_auth_cert_check-Group ‘sslvpn-group’ matched

[2120] fnbamd_auth_cert_result-Result for ldap svr[0] ‘ldap-AD’ is SUCCESS

[2126] fnbamd_auth_cert_result-matched user ‘test3’, matched group ‘sslvpn-group’

You can also use diag firewall auth list to validate that a firewall user entry exists for the SSL VPN user and is part of the right groups.

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.