Description
This article shows how to configure administrator certificate based authentication on the FortiGate.
The following certificates are required to configure Admin certificate authentication:
- User certificate
- CA root, signed by the user certificate
Solution
To configure Admin certificate based authentication, follow the steps below:
On the FortiGate:
1) Enable the “Certificate Feature” if not enabled (Go to System -> Feature Select)
2) Import the CA certificate under external CA Certificates (Go to System -> Certificates -> Import -> CA Certificate).
Once imported, the certificate is shown as CA_Cert_1 (if a second CA certificate is imported then is shown as CA_Cert_2 etc.).
3) Create a PKI user:
1) Import the user certificate on the web browser, and verify that the certificate is in the "Personal Store".
Results:
This article shows how to configure administrator certificate based authentication on the FortiGate.
The following certificates are required to configure Admin certificate authentication:
- User certificate
- CA root, signed by the user certificate
Solution
To configure Admin certificate based authentication, follow the steps below:
On the FortiGate:
1) Enable the “Certificate Feature” if not enabled (Go to System -> Feature Select)
2) Import the CA certificate under external CA Certificates (Go to System -> Certificates -> Import -> CA Certificate).
Once imported, the certificate is shown as CA_Cert_1 (if a second CA certificate is imported then is shown as CA_Cert_2 etc.).
3) Create a PKI user:
#config user peer4) Add the PKI user to a firewall group:
edit pki-admin
set ca CA_Cert_1
end
#config user group5) Create an admin user, enable peer authentication, and select the created group:
edit PKI-group
set member pki-admin
end
#config system adminOn the client PC:
edit admin-username
set peer-auth enable
set accprofile “super_admin”
set peer-group “PK_-group”
end
1) Import the user certificate on the web browser, and verify that the certificate is in the "Personal Store".
Results:
When accessing the FortiGate web GUI, the browser will present the user to select the user certificate to authenticate:
Troubleshooting:
Debugging the “fnbamd” application on the FortiGate is observed that the certificate provided by the user is checked against the CA imported on the FortiGate:FGT-5_4 # di de application fnbamd -1
FGT-5_4 # di de en
FGT-5_4 # [2197] handle_req-Rcvd auth_cert req id=1168321813
[1440] check_cert-Certificate chain depth 0, max chain depth 8
[1445] check_cert-Subject name 'C = US, ST = Florida, O = Fortinet, OU = Fortinet-TAC, CN = user, emailAddress = email@email.com'
[1446] check_cert-Issuer name 'C = US, ST = Florida, L = Sunrise, O = Fortinet, OU = Fortinet-TAC, CN = CA-root, emailAddress = email@email.com'
[1376] chain_verify-Trusted CA found: CA_Cert_1
[1922] fnbamd_auth_cert_start-Cert subject 'C = US, ST = Florida, O = Fortinet, OU = Fortinet-TAC, CN = user, emailAddress = email@email.com'
[1765] cert_check_group_list-checking group type 1 group name 'PKI-group'
[1658] check_add_peer-check peer user 'pki-admin' in group 'PKI-group', result is 0
[1783] cert_check_group_list-Matched group 'PKI-group'
[180] fnbamd_comm_send_result-Sending result 0 (error 0) for req 1168321813
FGT-5_4 # get system admin list
username local device vdom profile remote started
admin ssh port9:10.10.10.20:22 root super_admin 192.168.200.100:51326 2016-12-19 12:50:13
admin-username https port9:10.10.10.20:443 root super_admin 192.168.200.100:51740 2016-12-19 13:02:59
