I'm using firefox to test the web-portal and an android & macosx device running the basic forticlient
In the fortigate you should set a "config user peer" and define the CA that's signing the end-user certificates. This cert along with the rootCA certificate needs to be uploaded into the fortigate via the
System > certificate
In my setup, I have a root and intermediate CA. The "config user peer" is using my intermediate CA for the config.
config user peer
edit "socpuppets-intermediate"
set ca "CA_Cert_3"
next
end
Now you will need to build your sslvpn settings to include an authentication-rule.
config vpn ssl settings
set reqclientcert enable
set ssl-min-proto-ver tls1-1
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_POOL_1"
set port 8443
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 1
set source-interface "wan1"
set source-address "all"
set groups "vpnusers1"
set portal "full-access"
set client-cert enable
set user-peer "socpuppets-intermediate"
next
end
end
And the portal cfg with address pool
config firewall address
edit "SSLVPN_POOL_1"
set subnet 10.199.199.0 255.255.255.0
next
end
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set ip-pools "SSLVPN_POOL_1"
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
next
end
So no when a end-user authenticates and matches that auth-rule, he will need a valid certificate that matches the use-peer
Once you have connected you can validate users via the cli or webUi
if your forticlient can not connect, use firefox and access the webportal , import the certificate that's being used by the forticlient. If you can access the webportal, than the certificate and authentication rule is good.
One last tidbit, when the user certificate has expired the user will be locked out of the vpn. Since the certificate verification is done before the acceptance of the "username/password" you will not see this in the logs but "diag debug application sslvpnd -1" will clearly show this scenario
For traffic that's allowed by the firewall policy you can use
diag debug flow or run a diag packet sniffer on ssl.root interface to see the traffic flow
Once you have connected you can validate users via the cli or webUi
if your forticlient can not connect, use firefox and access the webportal , import the certificate that's being used by the forticlient. If you can access the webportal, than the certificate and authentication rule is good.
One last tidbit, when the user certificate has expired the user will be locked out of the vpn. Since the certificate verification is done before the acceptance of the "username/password" you will not see this in the logs but "diag debug application sslvpnd -1" will clearly show this scenario
For traffic that's allowed by the firewall policy you can use
diag debug flow or run a diag packet sniffer on ssl.root interface to see the traffic flow
This vpn method offers a means to easily control vpn-users for a timed-access-control by signing the certificate for "X" amount of days. Great for vendors, auditors, or consultant access.
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment