- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: SSLVPN client certs and radius
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSLVPN client certs and radius
I see this has been added in 7.4, which is a good thing, but it is somehow very limited.
UPDATE: correct link is: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/471933
I would need a little more flexibility concerning the certificate attributes to pass on to Radius.
Why can't I just freely choose any free-text attribute present in the cert? Are there maybe some hidden/CLI commands?
Authentication would be the fact that the user has presented a trusted client cert (issued from one of the installed CAs).
Authorization would come from the Radius server, i.e. the user group / portal to use depends on some attribute from the cert sent to and evaluated by Radius.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello jammac,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does your radius pull your user creds from your windows AD LDAP? If so, you can use your radius as an authentication proxy like you would with FAC. You'll need to make your Fortigate a radius client, then it will proxy authentication requests to ldap. See option 3 here https://vidmate.bid/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subject value matching is actually more tricky than it seems.
It's not possible to truly filter it as free-form text because the Subject value isn't just plain text. It's a chain of ASN.1 encoded TLV (type-length-value) pairs. And each type is is not represented by a simple string such as "CN", but with an OID ("2.5.4.3" for CN). So in order for the FortiGate to be able to filter it, it needs to know it (how it translates to an OID).
With that said, the most common elements are supported (CN, O, OU, DC,.. maybe more?). Is there anything specific in mind that you're missing?
Lastly, while the doc doesn't show it, you can filter for multiple elements, e.g. set subject "CN=John Doe, OU=MyDepartment, O=MyCompany".
[ corrections always welcome ]
Created on 04-25-2024 06:05 AM Edited on 04-25-2024 06:07 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure but the problem is sending the info to radius
config user radius
edit <name>
set account-key-processing {same | strip}
set account-key-cert-field {othername | rfc822name | dnsname} <----- not many options
next
endAlso it requires adding a local user.... it would be best if it would just take the cert and forward certain attributes to radius for authn/authz.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm honestly confused what a realistic real-world usage of this would be. All RADIUS servers I have ever encountered have required a valid password, and I am not quite sure how the FortiGate is supposed to fabulate one here.
I think you'd be better of either using existing and well-tested cert+LDAP integrations (~authenticate with a client-cert, get groups via LDAP, using SAN content as user identity in LDAP lookups).
Or go fully RADIUS with EAP-TLS. (limited number of features that support this: IPsec IKEv2, wifi-auth, switch 802.1x)
[ corrections always welcome ]
Related Posts
- Fortigate as SSL VPN Client -... 113 Views
- Understanding sslvpn logs 205 Views
- FortiAuthenticator Realms 244 Views
- SSLVPN client certs and radius 300 Views
- User Getting The server you want... 326 Views
Labels
-
FortiGate
6,652 -
FortiClient
1,326 -
5.2
801 -
5.4
639 -
FortiManager
576 -
FortiAnalyzer
420 -
6.0
416 -
5.6
362 -
FortiSwitch
341 -
FortiAP
339 -
FortiClient EMS
270 -
FortiMail
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
158 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
Logging
12 -
LDAP
11 -
VDOM
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
fortilink
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.