Configuring certificate-based authentication

Configuring certificate-based authentication

You can configure certificate-based authentication for FortiGate administrators, SSL VPN users, and IPsec VPN users.

In Microsoft Windows 7, you can use the certificate manager to keep track of all the different certificates on your local computer. To access certificate manager, in Windows 7 press the Windows key, enter “certmgr.msc” at the search prompt, and select the displayed match. Remember that in addition to these system certificates, many applications require you to register certificates with them directly.

To see FortiClient certificates, open the FortiClient Console, and select VPN. The VPN menu has options for My Certificates (local or client) and CA Certificates (root or intermediary certificate authorities). Use Import on those screens to import certificate files from other sources.

 

Authenticating administrators with security certificates

You can install a certificate on the management computer to support strong authentication for administrators. When a personal certificate is installed on the management computer, the FortiGate unit processes the certificate after the administrator supplies a username and password.

 

To enable strong administrative authentication:

  • Obtain a signed personal certificate for the administrator from a CA and load the signed personal certificate into the web browser on the management computer according to the browser documentation.
  • Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients on page 529 ).
  • Create a PKI user account for the administrator.
  • Add the PKI user account to a firewall user group dedicated to PKI-authenticated administrators.
  • In the administrator account configuration, select PKI as the account Type and select the User Group to which the administrator belongs.

 

Authenticating SSL VPN users with security certificates

While the default self-signed certificates can be used for HTTPS connections, it is preferable to use the X.509 server certificate to avoid the redirection as it can be misinterpreted as possible session hijacking. However, the server certificate method is more complex than self-signed security certificates. Also the warning message is typically displayed for the initial connection, and future connections will not generate these messages.

X.509 certificates can be used to authenticate IPsec VPN peers or clients, or SSL VPN clients. When configured to authenticate a VPN peer or client, the FortiGate unit prompts the VPN peer or client to authenticate itself using the X.509 certificate. The certificate supplied by the VPN peer or client must be verifiable using the root CA certificate installed on the FortiGate unit in order for a VPN tunnel to be established.

 

To enable certificate authentication for an SSL VPN user group:

1. Install a signed server certificate on the FortiGate unit and install the corresponding root certificate (and CRL) from the issuing CA on the remote peer or client.

2. Obtain a signed group certificate from a CA and load the signed group certificate into the web browser used by each user. Follow the browser documentation to load the certificates.

3. Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients on page 529).

4. Create a PKI user for each SSL VPN user. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.

5. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the SSL VPN users who are authenticated by certificate.

6. Go to Policy & Objects > Policy > IPv4.

7. Edit the SSL-VPN security policy.

8. Select the user group created earlier in the Source User(s) field.

9. Select OK.

 

Authenticating IPsec VPN users with security certificates

To require VPN peers to authenticate by means of a certificate, the FortiGate unit must offer a certificate to authenticate itself to the peer.

 

To enable the FortiGate unit to authenticate itself with a certificate:

1. Install a signed server certificate on the FortiGate unit.

See To install or import the signed server certificate – web-based manager on page 529.

2. Install the corresponding CA root certificate on the remote peer or client. If the remote peer is a FortiGate unit, see To install a CA root certificate on page 529.

3. Install the certificate revocation list (CRL) from the issuing CA on the remote peer or client. If the remote peer is a

FortiGate unit, see To import a certificate revocation list on page 529.

4. In the VPN phase 1 configuration, set Authentication Method to Signature and from the Certificate Name list select the certificate that you installed in Step 1.

To authenticate a VPN peer using a certificate, you must install a signed server certificate on the peer. Then, on the FortiGate unit, the configuration depends on whether there is only one VPN peer or if this is a dialup VPN that can be multiple peers.

 

To configure certificate authentication of a single peer

1. Install the CA root certificate and CRL.

2. Create a PKI user to represent the peer. Specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.

3. In the VPN phase 1 Peer Options, select peer certificate for Accept Types field and select the PKI user that you created in the Peer certificate field.

 

To configure certificate authentication of multiple peers (dialup VPN)

1. Install the corresponding CA root certificate and CRL.

2. Create a PKI user for each remote VPN peer. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.

3. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the PKI

users who will use the IPsec VPN.

In the VPN phase 1 Peer Options, select peer certificate group for Accept Types field and select the PKI

user group that you created in the Peer certificate group field.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

4 thoughts on “Configuring certificate-based authentication

    1. Mike Post author

      You can push a certificate to a SSL VPN user that can then be used to authenticate the VPN Connection. This page goes into some detail on how to do so. Let me know if I didn’t understand your question properly!

      Reply
  1. MattB

    Steve i think hes talking about machine certificates rather than user certificates – I know PA’as can do it i’m just wondering about Fortigates?

    Reply
  2. MarekPL

    Mike, we’d like to use machine certs (from our internal MS CA set on Windows Server) and we’d like to make FG pass the information to MS Network Policy Server to be checked there. Is it possible?
    So far we managed to check certs by importing our CA’s certs into FortiGate .

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.