- Configure SSL VPN settings and policies.
Settings:
config vpn ssl settings
set reqclientcert enable
set servercert "self-sign"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 1
set groups "ssl-vpn"
set portal "full-access"
next
end
end
Portal.
ssh vpn ssl web portal full-access
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
next
end
Policy:
config firewall policy
edit 1
set name "ssl-access"
set uuid f64bd9ca-0180-51eb-bd8d-239943fc4b37
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set groups "ssl-vpn"
set nat enable
next
end
- Configure FortiClient as below.
- Make sure the correct client certificate is selected.
- Connecting to the VPN only requires the user's certificate. It does not require username or password.
Results.
The user will be able to successfully connect with below in fnbamd + sslvpnd debugs.
[1755] cert_check_group_list-checking group type 1 group name 'ssl-vpn'
[1466] peer_subject_cn_check-Cert subject 'CN = test1'
[1630] check_add_peer-check peer user 'user1' in group 'ssl-vpn', result is 4
[1566] add_group_list-Add group 'ssl-vpn'
[1779] cert_check_group_list-Status pending for group 'ssl-vpn'
[1889] fnbamd_auth_cert_check_status-res=4
[1714] fnbamd_ldap_init-search filter is: (&(userPrincipalName=test1@athiralab.net)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) <-----
[1723] fnbamd_ldap_init-search base is: DC=athiralab,DC=net
[1138] __fnbamd_ldap_dns_cb-Resolved ldap:10.220.11.9 to 10.220.11.9, cur stack size:1
[1144] __fnbamd_ldap_dns_cb-Connection starts ldap:10.220.11.9, addr 10.220.11.9
[867] __fnbamd_ldap_start_conn-Still connecting 10.220.11.9.
[1995] create_auth_cert_session-fnbamd_auth_cert_start returns 4, id=417595147
[1095] __ldap_connect-tcps_connect(10.220.11.9) is established.
[973] __ldap_rxtx-state 3(Admin Binding)
[206] __ldap_build_bind_req-Binding to 'CN=Administrator,CN=Users,dc=athiralab,dc=net'
[927] fnbamd_ldap_send-sending 71 bytes to 10.220.11.9
[939] fnbamd_ldap_send-Request is sent. ID 1
[973] __ldap_rxtx-state 4(Admin Bind resp)
[970] __fnbamd_ldap_read-Read 8
[1076] fnbamd_ldap_recv-Leftover 2
[970] __fnbamd_ldap_read-Read 14
[1150] fnbamd_ldap_recv-Response len: 16, svr: 10.220.11.9
[831] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[866] fnbamd_ldap_parse_response-ret=0
[1040] __ldap_rxtx-Change state to 'DN search'
[973] __ldap_rxtx-state 11(DN search)
[594] fnbamd_ldap_build_dn_search_req-base:'DC=athiralab,DC=net' filter:(&(userPrincipalName=test1@athiralab.net)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) <-----
[927] fnbamd_ldap_send-sending 147 bytes to 10.220.11.9
[939] fnbamd_ldap_send-Request is sent. ID 2
[973] __ldap_rxtx-state 12(DN search resp)
[970] __fnbamd_ldap_read-Read 8
[1076] fnbamd_ldap_recv-Leftover 2
[970] __fnbamd_ldap_read-Read 52
[1150] fnbamd_ldap_recv-Response len: 54, svr: 10.220.11.9
[831] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
[866] fnbamd_ldap_parse_response-ret=0
[1212] __fnbamd_ldap_dn_entry-Get DN 'CN=test1,CN=Users,DC=athiralab,DC=net'
[100] ldap_dn_list_add-added CN=test1,CN=Users,DC=athiralab,DC=net
.
.
.
[16407:root:97]deconstruct_session_id:426 decode session id ok, user=[user1,cn=test1],group=[ssl-vpn],authserver=[ldap],portal=[full-access],host=[10.5.27.83],realm=[],idx=0,auth=32,sid=457a2555,login=1601406405,access=1601406405,saml_logout_url=no
[16407:root:97]deconstruct_session_id:426 decode session id ok, user=[user1,cn=test1],group=[ssl-vpn],authserver=[ldap],portal=[full-access],host=[10.5.27.83],realm=[],idx=0,auth=32,sid=457a2555,login=1601406405,access=1601406405,saml_logout_url=no
# get vpn ssl monitor
SSL VPN Login Users:
Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out
0 user1,cn=test1 ssl-vpn 32(1) 280 10.5.27.83 0/0 0/0
SSL VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 user1,cn=test1 ssl-vpn 10.5.27.83 160 17658/4966 10.212.134.200
# diag firewall auth list
10.212.134.200, user1,cn=test1
type: fw, id: 0, duration: 161, idled: 161
expire: 28636, allow-idle: 28797
flag(80): sslvpn
server: ldap
packets: in 0 out 0, bytes: in 0 out 0
group_id: 2
group_name: ssl-vpn
Note:
From FortiOS v7.4.1 onward RADIUS supported for client certificate authentication. Refer below Doc for more information:
Related document.