Fortinet white logo
Fortinet white logo

Administration Guide

RADIUS integrated certificate authentication for SSL VPN NEW

RADIUS integrated certificate authentication for SSL VPN NEW

Secure connections to SSL VPNs can be established using certificate-based authentication. Access can be granted to the user by using the content inside the Subject Alternative Name (SAN) of the user certificate to authenticate to the RADIUS server. An extra layer of security is added by ensuring that only users with valid certificates can access the VPN.

Certificate-based authentication with RADIUS supports UserPrincipalName (UPN), RFC 822 Name (corporate email address) defined in the SAN extension of the certificate, and the DNS defined in the user certificate as the unique identifier in the SAN field for peer user certificates.

config user radius
    edit <name>
        set account-key-processing {same | strip}
        set account-key-cert-field {othername | rfc822name | dnsname}
    next
end

account-key-processing {same | strip}

Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity.

  • same: Same as subject identity field (default).

  • strip: Strip domain string from subject identity field.

account-key-cert-field {othername | rfc822name | dnsname}

Define subject identity field in certificate for user access right checking.

  • othername: Match to UPN in SAN (default).

  • rfc822name: Match to RFC822 email address in SAN.

  • dnsname: Match to DNS name in SAN.

The RADIUS server configurations are applied to the user peer configuration when the PKI user is configured.

config user peer
    edit <name>
        set ca <string>
        set subject <string>
        set cn <string>
        set mfa-mode subject-identity
        set mfa-server <string>
    next
end

When a user authenticates to FortiGate over SSL VPN, the user presents a user certificate signed by a trusted CA to FortiGate. This CA should also be trusted by the FortiGate. See CA certificate for more information about importing a CA certificate to FortiGate trusted CA store. The following sequence of events occurs as the FortiGate processes the certificate for authentication:

  1. The FortiGate checks whether the certificate is issued by a trusted CA. If the CA is not a public CA, FortiGate ensures that the CA certificate is uploaded and trusted by the FortiGate, and applies it to the user peer configurations (set ca <string>).

  2. The FortiGate verifies that the CN field of the certificate matches the CN specified in the user peer configurations (set cn <string>).

  3. If the user peer configuration has mfa-mode set to subject-identity and the mfa-server is configured, then the FortiGate uses the unique identifier in the certificate to authenticate against the RADIUS server.

    1. If account-key-cert-field is set to othername (the default setting), then the FortiGate uses the UPN in the certificate's SAN field to authenticate against RADIUS.

    2. If account-key-cert-field is set to rfc822name, then the FortiGate uses the RFC 822 Name in the certificate's SAN field to authenticate against RADIUS.

    3. If account-key-cert-field is set to dnsname, then the FortiGate uses the DNS name in the certificate to authenticate against RADIUS.

Note

Some RADIUS servers do not require a password in an Access Request, while others need a valid password to return an ACCESS ACCEPT. If your RADIUS server requires a valid password to return an ACCESS ACCEPT, then you can configure an MFA password for each peer user using the set mfa-password command.

When you configure a user MFA password in a user peer, you must need to have a user peer configuration on the FortiGate for each user with cn=USER.

Example

In this example, a user certificate is issued to a user by a customer’s CA. The certificate is used to authenticate the user to the SSL VPN web portal. The administrator uses the RFC 822 Name in the SAN field to authenticate against their corporate RADIUS. The Active Directory mail attribute is used to check against the RFC 822 Name field.

The configuration used in this example assumes the following:

  • The CA certificate has already been uploaded to the FortiGate.

  • SSL VPN has already been configured, pending the assignment of the PKI user group.

To configure the authentication settings:
  1. Configure the RADIUS server:

    config user radius
        edit "NPS-MFA"
            set server "172.18.60.214"
            set secret  XXXXXXXXXX
            set auth-type pap
            set password-encoding ISO-8859-1
            set account-key-processing strip               
            set account-key-cert-field rfc822name       
        next
    end
  2. Configure the local peer user:

    config user peer
        edit "peer2"
            set ca "CA_Cert_1"
            set subject "L = Burnaby"
            set cn "test2"
            set mfa-mode subject-identity
            set mfa-server "NPS-MFA"
        next
    end
  3. Configure the firewall user group for SSL VPN authentication:

    config user group
        edit "sslvpn-mfa"
            set member  "peer2"
        next
    end
  4. Apply the user group to the SSL VPN configuration and firewall policy.

To verify the configuration:

When a user authenticates to Web mode SSL VPN using their browser, the FortiOS fnbamd daemon first validates the certificate supplied by the user. If the certificate check is successful, the information in the SAN field of the user certificate is used to find a matching user record on the RADIUS server. See SSL VPN web mode for information about configuring web mode SSL VPN.

RADIUS integrated certificate authentication for SSL VPN NEW

RADIUS integrated certificate authentication for SSL VPN NEW

Secure connections to SSL VPNs can be established using certificate-based authentication. Access can be granted to the user by using the content inside the Subject Alternative Name (SAN) of the user certificate to authenticate to the RADIUS server. An extra layer of security is added by ensuring that only users with valid certificates can access the VPN.

Certificate-based authentication with RADIUS supports UserPrincipalName (UPN), RFC 822 Name (corporate email address) defined in the SAN extension of the certificate, and the DNS defined in the user certificate as the unique identifier in the SAN field for peer user certificates.

config user radius
    edit <name>
        set account-key-processing {same | strip}
        set account-key-cert-field {othername | rfc822name | dnsname}
    next
end

account-key-processing {same | strip}

Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity.

  • same: Same as subject identity field (default).

  • strip: Strip domain string from subject identity field.

account-key-cert-field {othername | rfc822name | dnsname}

Define subject identity field in certificate for user access right checking.

  • othername: Match to UPN in SAN (default).

  • rfc822name: Match to RFC822 email address in SAN.

  • dnsname: Match to DNS name in SAN.

The RADIUS server configurations are applied to the user peer configuration when the PKI user is configured.

config user peer
    edit <name>
        set ca <string>
        set subject <string>
        set cn <string>
        set mfa-mode subject-identity
        set mfa-server <string>
    next
end

When a user authenticates to FortiGate over SSL VPN, the user presents a user certificate signed by a trusted CA to FortiGate. This CA should also be trusted by the FortiGate. See CA certificate for more information about importing a CA certificate to FortiGate trusted CA store. The following sequence of events occurs as the FortiGate processes the certificate for authentication:

  1. The FortiGate checks whether the certificate is issued by a trusted CA. If the CA is not a public CA, FortiGate ensures that the CA certificate is uploaded and trusted by the FortiGate, and applies it to the user peer configurations (set ca <string>).

  2. The FortiGate verifies that the CN field of the certificate matches the CN specified in the user peer configurations (set cn <string>).

  3. If the user peer configuration has mfa-mode set to subject-identity and the mfa-server is configured, then the FortiGate uses the unique identifier in the certificate to authenticate against the RADIUS server.

    1. If account-key-cert-field is set to othername (the default setting), then the FortiGate uses the UPN in the certificate's SAN field to authenticate against RADIUS.

    2. If account-key-cert-field is set to rfc822name, then the FortiGate uses the RFC 822 Name in the certificate's SAN field to authenticate against RADIUS.

    3. If account-key-cert-field is set to dnsname, then the FortiGate uses the DNS name in the certificate to authenticate against RADIUS.

Note

Some RADIUS servers do not require a password in an Access Request, while others need a valid password to return an ACCESS ACCEPT. If your RADIUS server requires a valid password to return an ACCESS ACCEPT, then you can configure an MFA password for each peer user using the set mfa-password command.

When you configure a user MFA password in a user peer, you must need to have a user peer configuration on the FortiGate for each user with cn=USER.

Example

In this example, a user certificate is issued to a user by a customer’s CA. The certificate is used to authenticate the user to the SSL VPN web portal. The administrator uses the RFC 822 Name in the SAN field to authenticate against their corporate RADIUS. The Active Directory mail attribute is used to check against the RFC 822 Name field.

The configuration used in this example assumes the following:

  • The CA certificate has already been uploaded to the FortiGate.

  • SSL VPN has already been configured, pending the assignment of the PKI user group.

To configure the authentication settings:
  1. Configure the RADIUS server:

    config user radius
        edit "NPS-MFA"
            set server "172.18.60.214"
            set secret  XXXXXXXXXX
            set auth-type pap
            set password-encoding ISO-8859-1
            set account-key-processing strip               
            set account-key-cert-field rfc822name       
        next
    end
  2. Configure the local peer user:

    config user peer
        edit "peer2"
            set ca "CA_Cert_1"
            set subject "L = Burnaby"
            set cn "test2"
            set mfa-mode subject-identity
            set mfa-server "NPS-MFA"
        next
    end
  3. Configure the firewall user group for SSL VPN authentication:

    config user group
        edit "sslvpn-mfa"
            set member  "peer2"
        next
    end
  4. Apply the user group to the SSL VPN configuration and firewall policy.

To verify the configuration:

When a user authenticates to Web mode SSL VPN using their browser, the FortiOS fnbamd daemon first validates the certificate supplied by the user. If the certificate check is successful, the information in the SAN field of the user certificate is used to find a matching user record on the RADIUS server. See SSL VPN web mode for information about configuring web mode SSL VPN.