DescriptionThis article provides a configuration sample for utilizing an SSL VPN user with FortiToken as a second factor of authentication and the certificate verification as additional authentication factor.ScopeFor version 6.4.5 and upper.Solution1) Create a user with a FortiToken:# config user local
edit "userA"
set type ldap <----- Any user type can be used (does not necessarily have to be LDAP user).
set two-factor fortitoken
set fortitoken "FTKMOBXXXXXXXX"
set email-to "aaa@lab.lab"
set ldap-server "LDAP_lab"
end
2) Import the CA certificate that signed the certificate which will be used for the authentication:Go to System -> Certificates -> Import -> CA Certificate.3) Define the certificate matching criteria:# config user peer
edit "test"
set ca "CA_Cert_1" <----- It is possible to set up additional certificate matching criteria.
end
NOTE.
Machine/computer certificates can be utilized as well.4) Create a binding between the user and the certificate check:# config vpn ssl settings
# config authentication-rule
edit 1
set users "userA"
set portal "full-access"
set client-cert enable
set user-peer "test"
end
end
5) The firewall policy is set only with the user defined in step 1).# config firewall policy
edit 1
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "SSLVPN_pool"
set dstaddr "example.com"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set users "userA"
set nat enable
next
end
Related Articles
Technical Note: FortiClient with user certificate stored in local machine certification store
Technical Tip: RADIUS authentication and client certificates in SSL VPN
