Problem

FortiGate is terminating an SSL VPN. AD users use certificates for authentication. A firewall is connected to AD using LDAP.

A user group is defined more or less as follows:

config user ldap
    edit "AD-LDAP-Server"
        set server "192.168.37.101"
        set cnid "cn"
        set dn "DC=example,DC=com"
        set type regular
        set username "CN=ADMIN_USER,CN=Users,DC=example,DC=com"
        set password YOUR_PASSWORD
    next
end

config user peer
    edit "LDAP-cert-check"
        set ca "CA_Cert_1"
        set ldap-server "AD-LDAP-Server"
        set ldap-mode principal-name
    next
end

config user group
    edit "SSLVPN"
        set member "LDAP-cert-check"
    next
end
Listing #1
  • CA_Cert_1 is a CA certificate obtained from a CA Server (in LAB Setup section you'll find more about this)

How can I introduce 2FA and add user/cert authentication in conjunction with certificate validation?

Solution

Keep LDAP connection for certificate validation. Add RADIUS, so FortiGate can also check username and password. It requires a redesign of a current solution on both sever and firewall end but improves security by bringing 2FA into play.

Lab Setup

I'll show you how to build a lab and test it before you make any changes in production. Bear in mind that it's a test lab, so my goal is to build a working environment with tiny effort, I don't care about security and 100% proper production configuration. Below a simple diagram that is a starting point:

AD Server Setup

I already had that server in my lab and there are plenty of tutorials on how to install Active Directory Domain Services and promote server a server to a Domain Controller.

Then create users, join the domain with all other computers and create a group called SSLVPN and add some users into that group.

RADIUS Server Setup

On that server, install Certificate Authority and create a Root CA from PowerShell:

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA
Listing #2

In Server Manager, click Tools and then click Certification Authority. Right-click your CA, and then click Properties

In the new window, you can view the certificate and copy it to a file. Do it, I saved it as CA_Cert1. Later you'll import it into FortiGate.

Now, install a RADIUS server:

Install-WindowsFeature NPAS -IncludeManagementTools
Listing #3

Add a RADIUS Client:

  • IP Address: 192.168.37.131
  • Shared Secret: YOUR_SECRET

Configure a new Connection Request Policy with Client IPv4 address condition set to FortiGate's IP address. Leave all other settings on default values.

Then proceed to Network Policies and add a new one. As a condition, chose an SSLVPN group:

Go to the next tab and for an authentication method, select only a MS-CHAP-v2:

In the last tab, you have to configure vendor-specific settings:

  • Vendor Code: 12356 <– that if Fortinet's code
  • Attribute Number: 1 <– it means Fortinet-Group-Name. Whole list available here.
  • String: VPN_Group <– it must match attribute configured on the FortiGate

Laptop Setup

Install a FortiClient VPN and using MMC request a personal, user certificate:

In the next steps chose Active Directory Enrollment Policy and select a User template. Once the certificate is enrolled, open it and verify that Subject Alternative Name has value:

Other Name:
   Principal Name=username@domain.com
Listing #4

This is how it looks in my scenario:

That is crucial for a whole process, as based on the Principal Name, FortiGate can validate a certificate owner.

You can configure FortiClient connection details in advance.

FortiGate Setup

I assume that SSL VPN is already configured, config from Listing #1 is already applied and that you uploaded a CA_Cert_1 as a CA Certificate.

NOTE: if you do it on the evaluation VM, CA import will fail due to limitations. You need a valid license.

Configure a RADIUS server:

config user radius
    edit "Radius-W2012"
        set server "192.168.37.102"
        set secret YOUR_SECRET
        set auth-type ms_chap_v2
    next
end
Listing #5

Do not test user credentials from a GUI. From my observations, it's using PAP protocol only, regardless of your configuration (FortiOS 6.0.6). Do it from the command line:

FGT# diag test authserver radius Radius-W2012 mschap2 YOUR_USER YOUR_PASSWORD
authenticate 'YOUR_USER' against 'mschap2' succeeded, server=primary assigned_rad_session_id=2045892738 session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) - VPN_Group
Listing #6

If you have any issues at this stage, double-check your configuration and enable debugging:

diag debug app fnbamd -1
diag debug en
Listing #7

We leave user ldap-check-cert as it is. The configuration is correct. It points to the correct CA certificate and validates Principal Name. Let's create a new user group, that can take under consideration both certificate validation and user credentials:

config user group
    edit "VPN_Users"
        set member "LDAP-cert-check" "Radius-W2012"
        config match
            edit 1
                set server-name "Radius-W2012"
                set group-name "VPN_Group"
            next
        end
    next
end
Listing #8

Of if you prefer GUI:

Make sure you require a client certificate in general SSL VPN settings:

Now adjust SSL VPN settings and firewall policies - change old group SSLVPN with a new one VPN_Users.

Test Setup

Establish an SSL VPN connection from a PC providing all required info. Test all possible scenarios:

  • certificate without credentials - FAIL
  • certificate with incorrect credentials - FAIL
  • credentials without certificate - FAIL
  • certificate with your credentials - SUCCESS
  • certificate with someone's else credentials - SUCCESS

FortiGate doesn't have a mechanism to verify that the certificate provided by LDAP is for the same user as credentials passed to the RADIUS server. If you need this additional level of security, you might consider investing in the FortiAuthenticator.