Certificate Authentication with FortiGate and FortiClient

Jul 26, 2024

Certificate Authentication Implementation with FortiGate Firewall and FortiClient

Overview

  • This video covers two implementations for certificate authentication using:
    • FortiGate Firewall (FortiGate)
    • FortiClient
    • Protocol used: IPsec

Prerequisites

  • Basic understanding of certificates:
    • Private Keys
    • Public Keys
    • Certificate Authorities (CAs)
    • Signing process
  • Pre-configured IPsec dial-up using a pre-shared key.
  • Pre-configured LDAP server on FortiGate.

Suggested Tools for Certificate Generation

  • FortiAuthenticator (used in this demo)
  • Other alternatives:
    • XCA
    • Microsoft CA
    • Microsoft IIS
    • OpenSSL

Implementation Steps

Certificate Creation Process

  1. Create Certificate Authority (CA):

    • Use FortiAuthenticator to create local CA—named ttp fortinet.
    • Export the CA certificate (public key).

  2. Create User Certificates:

    • Navigate to End Entities -> Users in FortiAuthenticator.
    • Create certificates for each user/device.
    • Each user will have a unique certificate (e.g., user cert 1, user cert 2, etc.).
    • Export user certificates with both private and public keys in PKCS 12 format.

  3. Certificate Placement:

    • Install CA and user certificates on each client machine and FortiGate firewall.
    • Go to FortiGate, enable certificates under Feature Visibility, then import CA certificate and local server certificate (FortiGate certificate).

Configure User Peer

  1. Create User Peer Reference in FortiGate:

    • Navigate to User & Authentication -> User Peer.
    • Reference CA certificate and user certificate.
    • Relevant subject name: cn=user cert 1.
    • Note: Log out and log back in to view the new PKI section.

  2. Create User Peer Group:

    • Use CLI to create pki users and add user cert 1.

Update IPSec Tunnel Configuration

  • Change authentication method from pre-shared key to signature.
  • Specify FortiGate certificate as a required server certificate.
  • Define the peer certificate group (pki users).

Installation on Client Machine

  • Install user certificate onto FortiClient.
  • Verify installation in the personal certificate store using MMC.
  • Confirm CA certificate in trusted root certification authorities.

Testing Connectivity

  • Attempt to connect using user user cert 1 with configured FortiClient.
  • Successful connection if a valid certificate is presented and matches the User Peer group.

Implementation #2: Using LDAP Server

  1. Create User Certificate for LDAP:

    • Specify user principal name (UPN) in certificate: [email protected].
    • Export the key and certificate as before.

  2. Configure FortiGate for LDAP Authentication:

    • Reference LDAP server in user peer settings.
    • Set peer group to LDAP server for authentication checks.

  3. IPSec Tunnel Configuration:

    • Switch peer certificate group to ldap group in tunnel settings.
    • Ensure the certificate includes principal name.

Adding Additional Authentication Factors

  • Consider integrating XAuth for multi-factor authentication.
  • Create new user groups if necessary and reference them in tunnel settings.

Troubleshooting Tips

  • Use the following commands for debugging:
    • diag debug application ike -1
    • diag debug application fnband
    • diag debug enable
  • Review logs for information on IPsec and certificate authentication issues.

Conclusion

  • Successfully configured and tested certificate authentication with FortiGate and LDAP.
  • Encouraged to check referenced videos for further understanding and troubleshooting.

Full transcript