#config user peer4) Add the PKI user to a firewall group:
edit pki-admin
set ca CA_Cert_1
end
#config user group5) Create an admin user, enable peer authentication, and select the created group:
edit PKI-group
set member pki-admin
end
#config system adminOn the client PC:
edit admin-username
set peer-auth enable
set accprofile “super_admin”
set peer-group “PK_-group”
end
Troubleshooting:
Debugging the “fnbamd” application on the FortiGate is observed that the certificate provided by the user is checked against the CA imported on the FortiGate:FGT-5_4 # di de application fnbamd -1
FGT-5_4 # di de en
FGT-5_4 # [2197] handle_req-Rcvd auth_cert req id=1168321813
[1440] check_cert-Certificate chain depth 0, max chain depth 8
[1445] check_cert-Subject name 'C = US, ST = Florida, O = Fortinet, OU = Fortinet-TAC, CN = user, emailAddress = email@email.com'
[1446] check_cert-Issuer name 'C = US, ST = Florida, L = Sunrise, O = Fortinet, OU = Fortinet-TAC, CN = CA-root, emailAddress = email@email.com'
[1376] chain_verify-Trusted CA found: CA_Cert_1
[1922] fnbamd_auth_cert_start-Cert subject 'C = US, ST = Florida, O = Fortinet, OU = Fortinet-TAC, CN = user, emailAddress = email@email.com'
[1765] cert_check_group_list-checking group type 1 group name 'PKI-group'
[1658] check_add_peer-check peer user 'pki-admin' in group 'PKI-group', result is 0
[1783] cert_check_group_list-Matched group 'PKI-group'
[180] fnbamd_comm_send_result-Sending result 0 (error 0) for req 1168321813
FGT-5_4 # get system admin list
username local device vdom profile remote started
admin ssh port9:10.10.10.20:22 root super_admin 192.168.200.100:51326 2016-12-19 12:50:13
admin-username https port9:10.10.10.20:443 root super_admin 192.168.200.100:51740 2016-12-19 13:02:59
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.