SSL VPN with certificate authentication

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will configure an SSL VPN tunnel that requires users to authenticate using a certificate.

This recipe requires that you have three certificates:

  • CA certificate
  • server certificate (signed by the CA certificate)
  • user certificate (signed by the CA certificate)

The certificates in the example were created using OpenSSL.

1. Enabling certificate management

Go to System > Config > Features > Show More and make sure that Certificates is enabled.

If necessary, Apply your changes.

 

2. Installing the server certificate

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication.

Go to System > Certificates and select Import > Local Certificate.

Set Type to Certificate, choose the Certificate file and the Key file for your certificate, and enter the Password. If desired, you can also change the Certificate Name.

 

The server certificate now appears in the list of Certificates.

 

3. Installing the CA certificate

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

Go to System > Certificates and select Import > CA Certificate.

Select Local PC, then select the certificate file.

 

The CA certificate now appears in the list of External CA Certificates (in the example, it is called CA_Cert_1).

 

4. Creating PKI users and a user group

In order to use certificate authentication, PKI users must be created in the CLI. Go to System > Dashboard > Status and enter the following commands into the CLI widget:

config user peer
  edit rdiaz
    set ca CA_Cert_1
    set subject User01
  end

Make sure that subject matches the name of the user certificate (in the example, User01) 

Now that you have created a PKI user, a new menu has been added to the GUI. Go to User & Device > PKI to see the new user listed.

Edit the user account and expand Two-factor authentication. Enable Require two-factor authentication and set a Password for the account.

 
Go to User & Device > User > User Groups and create a group for SSL VPN users. Add the new user to the group.  

5. Creating an SSL VPN portal

Go to VPN > SSL > Portals.

Edit the full-access portal. This portal supports both web and tunnel mode.

Enable Split Tunneling is not enabled so that all SSL VPN traffic will go through the FortiGate unit.

 

6. Configuring the SSL VPN tunnel

Go to VPN > SSL > Settings.

Under Connection Settings, set Listen on Interface(s) to wan1. To avoid conflicts, set Listen on Port to 10443

Set Server Certificate to the authentication certificate and enable Require Client Certificate.

Under Authentication/Portal Mapping, assign the user group to the full-access portal. If necessary, assign a portal for All Other Users/Groups.

 

7. Adding security policies for access to the Internet and internal network

Go to Policy & Objects > Policy > IPv4. Create a security policy allowing SSL VPN user to access the internal network.

Set Incoming Interface to ssl.root. Set Source Address to all and Source User to the new user group. Set Outgoing Interface to the local network interface so that the remote user can access the internal network.

Set Destination Address to all, enable NAT, and configure any remaining firewall and security options as desired.

 

Add a second security policy allowing SSL VPN users to access the Internet.

For this policy, Incoming Interface is set to ssl.root and Outgoing Interface is set to wan1.

Make sure that NAT is enabled.

 

8. Installing the user certificate

To use the user certificate, it must first be installed on the user’s PC. When the user attempts to authenticate, the user certificate will be checked against the CA certificate, to verify that they match.

Every user should have a unique user certificate, so that you can distinguish each user and so that it is possible to revoke a user’s certificate if they should no longer have VPN access.

The installation instructions differ depending on what application is being used to connect to the VPN.

Internet Explorer or Safari (on Windows or Mac OS):

If you are using the above applications to connect to the VPN, you must install the certificate into the certificate store for your OS. The certificate should be installed in the user’s local certificate store (and not on the machine’s local certificate store).

If you are using Windows 7/8/10, open the certificate file and select Install Certificate. The Import Wizard appears.

Import the certificate using the Import Wizard. Import the certificate into the Personal store.

 

If you are using Mac OS X, open the certificate file. Keychain Access opens.

Double-click the certificate. Expand Trust and select Always Trust.

 

FortiClient (on Windows or Mac OS)

In order to connect to the VPN with FortiClient, you will first have to use the above instructions to install the certificate for your OS. Once the certificate has been installed, you can configure FortiClient to access the VPN.

Open FortiClient and go to Remote Access > Configure VPN. Create a new SSL VPN connection.

Set the Connection Name, Remote Gateway, and Customize port. Enable Client Certificate and select the authentication certificate.

 

Firefox (on Windows or Mac OS)

Firefox has its own certificate store. If you will be using Firefox to connect to the VPN, then the user certificate must be installed in this store, rather than in the OS.

Depending on the version, go to Menu > Options or Preferences > Advanced and find the Certificates tab.

Select View Certificates, then select the Your Certificates list. Import the certificate file.

 

9. Results

Using a web browser

Browse to the SSL VPN portal (in the example, http://172.20.121.46:10443).

A message will appear requesting a certificate for authentication. Select the user certificate.

Enter your user credentials when requested.

 

You are able to connect to the SSL VPN web portal.

Using FortiClient

Open FortiClient and connect to the VPN. You are able to connect.

 
On the FortiGate, go to VPN > Monitor > SSL-VPN Monitor. You can see that the user is currently connected to the VPN.  

 

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
You may need to refresh the GUI before the menu appears.
  • Mohamed Adel Mohamed

    hello
    i have a question ??
    i have a yealink ip phone , and need to connect it to fortigate vpn >
    yealink support open vpn file Upload .tar .. is it available to generate a tar file through fortigate to make the yealink connect on it . ?????

  • kim

    I’m able to connect just fine using web browser, when I try to connect via forticlient with ssl vpn I get an error of invalid certificate, any help regarding this behavior?

  • William Bain

    Hi, is there a way to configure this without local user accounts? I’d like to ensure the client has a valid certificate but want to authenticate users using RADIUS which will then query AD for user access.

    • Victoria Martin

      Hi William,

      I looked into this and yes, this can be done, but it’s not a typical configuration. To get it to work, you would have to have your RADIUS server handle all portions of the AAA process, including client and RSA authentication, authorization, and accounting. This means that almost no configuration is
      done on the FortiGate, aside from the RADIUS client configuration and setting up the address groups to authenticate against. Everything else would be done done on the RADIUS server.

      • Alex F

        Hi Victoria,

        Could this be an opportunity for a further cookbook article, as being able to validate a computer and have RADIUS authentication (plus even FortiTokens) is quite desirable for us when discussing options with our customers? Is any configuration required on the Fortigate or FortiClient software in order to get the computer authentication to pass to the RADIUS server as well as the user authentication?

        • Victoria Martin

          Hi Alex,

          That is a great idea, we’ll put it on the to-do list.

          • Alex F

            Thanks Victoria, any thoughts on what configuration might be required to get the machine authentication to pass to the RADIUS server through the Fortigate?

          • Keith Leroux

            Hi Alex,

            I think you just need to add a firewall policy to allow the RADIUS Service through the FortiGate.

      • William Bain

        Hi Victoria, we’ve worked through all the options with our Fortinet partner but none of the options have worked. I believe this has now been confirmed by your support teams. We’ve had to roll back to a Cisco VPN solution as for us we can’t have users installing the SSL software on unknown machines and then connecting to our environment. The Fortinet certificate solution to validate machines is just not scalable for an enterprise. I’m surprised other customers haven’t had similar issues.

  • mohamed nashrty

    how to export user certificate. this point you did not mention in your topic.

    • Victoria Martin

      Hello Mohamed,

      I’m not quite sure I understand your question. If you want to know how the user certificate was created, the one used in this example was done with Open SSL.

  • José Oliveira

    Good job.

  • Cascadia89

    This is great. Could you enhance this by adding Fortitoken when used with FortiAuthenticator? Would like to see steps on how you add FortiAuth to this and use it to allocate/manage user certs.

    • Victoria Martin

      Hi Cascadia89, I’m glad you liked the recipe. You idea sounds like it would make a great recipe, so I’ll add it to our to-do list.