FortiGate is terminating an SSL VPN. AD users use certificates for authentication. A firewall is connected to AD using LDAP.
A user group is defined more or less as follows:
- CA_Cert_1 is a CA certificate obtained from a CA Server (in LAB Setup section you'll find more about this)
How can I introduce 2FA and add user/cert authentication in conjunction with certificate validation?
Keep LDAP connection for certificate validation. Add RADIUS, so FortiGate can also check username and password. It requires a redesign of a current solution on both sever and firewall end but improves security by bringing 2FA into play.
I'll show you how to build a lab and test it before you make any changes in production. Bear in mind that it's a test lab, so my goal is to build a working environment with tiny effort, I don't care about security and 100% proper production configuration. Below a simple diagram that is a starting point:
AD Server Setup
I already had that server in my lab and there are plenty of tutorials on how to install Active Directory Domain Services and promote server a server to a Domain Controller.
Then create users, join the domain with all other computers and create a group called SSLVPN and add some users into that group.
RADIUS Server Setup
On that server, install Certificate Authority and create a Root CA from PowerShell:
In Server Manager, click Tools and then click Certification Authority. Right-click your CA, and then click Properties
In the new window, you can view the certificate and copy it to a file. Do it, I saved it as CA_Cert1. Later you'll import it into FortiGate.
Now, install a RADIUS server:
Add a RADIUS Client:
- IP Address: 192.168.37.131
- Shared Secret: YOUR_SECRET
Configure a new Connection Request Policy with Client IPv4 address condition set to FortiGate's IP address. Leave all other settings on default values.
Then proceed to Network Policies and add a new one. As a condition, chose an SSLVPN group:
Go to the next tab and for an authentication method, select only a MS-CHAP-v2:
In the last tab, you have to configure vendor-specific settings:
- Vendor Code: 12356 <– that if Fortinet's code
- Attribute Number: 1 <– it means Fortinet-Group-Name. Whole list available here.
- String: VPN_Group <– it must match attribute configured on the FortiGate
Install a FortiClient VPN and using MMC request a personal, user certificate:
In the next steps chose Active Directory Enrollment Policy and select a User template. Once the certificate is enrolled, open it and verify that Subject Alternative Name has value:
This is how it looks in my scenario:
That is crucial for a whole process, as based on the Principal Name, FortiGate can validate a certificate owner.
You can configure FortiClient connection details in advance.
I assume that SSL VPN is already configured, config from Listing #1 is already applied and that you uploaded a CA_Cert_1 as a CA Certificate.
NOTE: if you do it on the evaluation VM, CA import will fail due to limitations. You need a valid license.
Configure a RADIUS server:
Do not test user credentials from a GUI. From my observations, it's using PAP protocol only, regardless of your configuration (FortiOS 6.0.6). Do it from the command line:
If you have any issues at this stage, double-check your configuration and enable debugging:
We leave user ldap-check-cert as it is. The configuration is correct. It points to the correct CA certificate and validates Principal Name. Let's create a new user group, that can take under consideration both certificate validation and user credentials:
Of if you prefer GUI:
Make sure you require a client certificate in general SSL VPN settings:
Now adjust SSL VPN settings and firewall policies - change old group SSLVPN with a new one VPN_Users.
Establish an SSL VPN connection from a PC providing all required info. Test all possible scenarios:
- certificate without credentials - FAIL
- certificate with incorrect credentials - FAIL
- credentials without certificate - FAIL
- certificate with your credentials - SUCCESS
- certificate with someone's else credentials - SUCCESS
FortiGate doesn't have a mechanism to verify that the certificate provided by LDAP is for the same user as credentials passed to the RADIUS server. If you need this additional level of security, you might consider investing in the FortiAuthenticator.