FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Not applicable
Article Id 197007

 

Description This article describes how to use IPSec VPN certificates and peer IDs for remote users.
Scope

- All FortiGate units running FortiOS v2.80 MR11.

- FortiClient 2.0.

Solution

When using certificates to authenticate remote VPN IPSec users, it is possible to configure the FortiGate unit to only authenticate certain certificates based on information in the Subject ('Issued Common Name') field.

 

Note: This article assumes that the reader is already familiar with the basic FortiGate and FortiClient VPN certificate configuration requirements.

 

To configure the FortiGate unit:

1) Go to VPN -> IPSec -> Phase 1.

2) Select Accept this peer ID.

 

The ‘Subject’ field of the certificate, will be the Peer ID value that will be used by the FortiGate unit to authenticate.

 

In the example above, it is simply the Common Name with an email address, but this could be a full Domain Name containing Country (C), Organization (O), Organizational Unit (OU), and Common Name (CN) information.

 

PeerID authentication could then be based on the entire Subject field, or just part of it.

 

If there are multiple remote VPN users with certificates, it is necessary to define each of these users on the FortiGate unit. Place them in a 'peer certificate group', and then authenticate on this group.

 

This will allow a single Phase 1 configuration for all the remote users. It can also be used to control precisely which FortiClient (certificate) a user can or cannot authenticate, as long as each of one have unique Subject information.

 

This feature can only be configured via CLI commands. See the example below:

 

# config user peer
    edit "user2"
        set ca "CA_Cert_1"
        set cn "user2@here.com"
    next
    edit "user1"
        set ca "CA_Cert_1"
        set cn "user1@here.com"
    next
end

# config user peergrp
    edit "certgroup"
        set member "user1""user2"
    next
end

 

The 'ca' information is obtained from the web-based manager by going to VPN -> Certificates -> CA Certificates, and using the Name from the list.

 

It is also possible to obtain the information using the CLI command execute vpn cert ca list.

After configuring the User peer and User peergrp fields, it is displayed, and configurable in the web-based manager.

 

An authenticated remote FortiClient user will be displayed as follows in the FortiGate unit's IPSec Monitor.

 

Contributors