in this video we will go over two different implementations for certificate authentication with a 48 firewall and 40 client using ipsec so it'll help to have a little bit of certificate knowledge such as understanding private keys public keys certificate authorities the signing process also i'm going to have a pre-configured ipsec dial-up configuration already using a pre-shared key just so that all we have to do is focus on converting it to certificate authentication only and additionally i'm going to have a pre-configured ldap server on the 48 already i've linked some suggested videos just in case you need a refresher on any of these items so to generate certificates i'm going to be using 40 authenticator as the certificate authority so you could use 40 authenticator you could use xca microsoft ca microsoft iis openssl but in my case i'll use 4d authenticator so then we're going to have to pretty much sign a certificate for every single user um every single user machine and then we'll have just one certificate for this the server certificate that gets installed on the fortigate firewall implementation number one will allow us to have the certificate verification being done on the fortigate whereas implementation number two the certificate verification is going to be done on the ldap server so as you can imagine you might want to stick with implementation number two if you're looking for something a little bit more scalable to start let's create the certificates that we're going to need so i've already gone ahead and created a certificate authority on the 40 authenticator it's under certificate management certificate authorities local cas i named it ttp fortinet so i can just export that certificate to export the public key now let's create the certificate that's going to go in the fortigate so we go to end entities users and then let's create a certificate here now let's create a certificate for a user so this would be the certificate that'll actually go on the 40 client machine okay and i'll just keep my certificates just very simple usually you'd be filling out more of that information but just for the purposes of this demo uh that's what we'll do now we'll want both the private key and the public key for both the certificate that goes on the fortigate and for the certificates that are gonna go on the 40 client machines i've only created one here but in your case if you had 10 users in the organization you'd create user cert 1 to 10 and so on so let's just go over one example of how on the 40 authenticator we export the key and the certificate and then we have a passphrase which is going to allow us to get the private and the public key in a pkcs 12 file format perfect and now i'll just go ahead and i'll do the same thing for user cert one there we have it so we have the ca certificate and this one needs to be placed on every end machine as well as on the fortigate because it needs to validate the full chain of the other entity and then we'll have this certificate that will go on the 40 client machine as well as this one that'll go on the 40 gate on the fortigate under feature visibility we're going to want to enable certificates if we haven't already and then we'll go to the certificate section and we will import the ca certificate first there we have it followed by importing the as a local certificate the pkcs 12 certificate which is the fortigate certificate here and we'll put in the password and here's that imported certificate the surface certificate okay so now let's go into the fortigate and let's create a user peer which is going to one it's going to reference this ca underscore cert underscore one which is the ca certificate that we've imported and two it's also going to reference the user cert 1 certificate that we created on the 4d authenticator right we want to reference the you know in this case we're going to reference the subject name to identify that certificate and we'll just name it just to be consistent it doesn't actually matter here but we'll just to be consistent let's just name it the same certificate same certificate name so we'll go set ca okay so that's where we're going to reference the ca cert here and then we're also going to reference the subject name and we'll just make that consistent with the certificate cn equals user cert one this is the value on the actual certificate that's going to be checked when authenticating to the 40 gate okay real quickly as a side note here what this is going to do is it's going to create a new section under user and authentication as you can see we can't see that section right now the only way to see it is to log out log back in and now going forward we're going to see that section under user and authentication now we see that section pki so now we can actually add these um you know add users and subject configurations via the gui going forward now back to the cli as we still do require it to configure our user peer group and we'll just name this pki users and we'll set the member as user cert 1 which i created via the cli right so then you know as we would have more users getting added all we would do is we would do this in the cli whenever the user gets added so that it gets dropped into that pki users group okay and i'll type end to save that configuration so we'll just go just to refresh here show user peer so the user user cert one is going to reside under show peer or sorry show user peer group there we go okay so now that we've done all of this pre-configuration with user peers and importing the certificates really the the final step here is to go into our our dial-up tunnel configuration um you know and what we'll do is we'll change the method from pre-shared key to signature and we're going to specify 40 gate cert which is the server certificate for the fortigate and then we'll change the accept types from anything else to the peer certificate group and then now we're going to define that peer certificate group that we created via the cli and then let's just make sure that you know xoth is disabled you know and now the the authentication is going to require that we match a user that's in the pki users group which in our case that's going to be that user user cert 1 which we created via the cli and specified the subject okay now let's go on to our windows machine that has 40 client installed and then we'll install the certificate that was created for the user on 40 authenticator and after you import it you can check to see that it's in the personal store by going to mmc adding a snap in and there we have it we have the user cert one and if we click into that again we're gonna see that the subject is cn equals user cert 1. and additionally we need to install the ca certificate and we'll install it to the trusted root certificate authorities directory okay and we can confirm that we successfully installed by going to our trusted root certificate authorities directory on the mmc console snap in and let's look for ttp fortinet there it is okay now here's my configuration on the 4d client machine so we're referencing user cert one we're using an x 509 certificate and then we don't have any type of xoth now let's go ahead and connect and there we have it now we're successfully connected okay so just a quick review to explain at least my understanding which could be wrong of of the certificate placement fortigate cert which is the server certificate on the fortigate [Music] that is that needs to be validated by the client itself using the ttp fortinet which is placed under the trusted root certification authority section on the machine and additionally thinking in sort of i guess the opposite direction we have a certificate that's in the personal store called user cert one and that's the one that we're referencing in the 40 client configuration that certificate when it's presented to the fortigate when we're trying to bring up the ipsec tunnel the fortigate is going to check that certificate against the peer certificate group which is named pki users so if we go config user peer group and we look at what we had configured for pki users we see that the member is user cert one so then if we go show user peer then we can see that user cert 1 it is associated with the ca certificate ca cert 1 which is our ttp fortinet certificate authority so that certificate user cert 1 has to have been signed by ca cert underscore 1 which is which is checking the chain as well as checking the subject name that's part of the certificate so that's how and you know and it must be the name user cert one if it's anything else and the authentication will not be successful let's quickly test that okay so we'll just change one character there and now we'll try to authenticate and it expectedly will fail all right now let's go over implementation number two so where we're going to be using our ldap server so the user john smith who has the upn name of jsmith at fortinet.local the upn name stands for user principal name so we want to ensure that the end user certificate has jsmith at fortinet.local specified on the certificate so that when the user authenticates the fortigate will check to make sure that the a user with that upn specified on the certificate resides on the ldap server and again it's going to ensure that that certificate was signed by our certificate authority in this case it's ttp fortinet as the ca let's start by creating our certificate for john smith [Music] [Music] so this is the important item here this user principle name being jsmith at fortinet.local now we will export the key and certificate and then we will import it onto our 40 client windows machine okay same as before we will install that certificate into the personal store on this machine all right now to the fortigate let's quickly review the pre-configured ldap configuration that we have here so the name of the server is windows ldap so let's reference that ldap server now we need to do something similar to the previous example we're going to go to config user peer let's just create a new ldap server here and we'll go set ca same as before we'll have the same ca here but then we'll set the ldap server to be that windows ldap here let's go show there we go and then we'll set the ldap mode to be principal name there we go so when a certificate is going to authenticate to the fortigate and match this user peer configuration then it's going to check the this windows ldap server with the principal name that is defined on the certificate okay now we need to configure same as before we'll configure appear group we'll just name it ldap group i guess and we'll set the member to be that ldap server that we just created okay now the last thing that we need to do is go to our ipsec tunnel configuration and let's just make sure that that peer certificate group it's not the pki users which is the implementation number one it'll be ldap group which is our implementation number two with the ldap server for now let's leave xoth disabled now to our 40 client machine real quick here let's go over that certificate that we imported just a couple minutes back okay there we go so we can see in the san or the subject alternative name we have the principal name as jsmith at fortinet.local so we're good there and then now on our vpn configuration now we need to change it to john smith and let's test and it's successful now up until now we've been mainly just going over uh certificate verification certificate authentication um but then what you know what if we want to add in uh you know additional factor of authentication that's when we can go back to using xoth which is what we're probably used to using for the most part um you know if i look right now at my ex off options i don't have an option for ldap so what i could do is you know going back to this ldap server windows ldap i could create a new user group let's just call that you know windows ldap group and then we'll just specify that server i'm not going to put a group in but you could put a group in there and then if we go back to our ipsec tunnel here let's specify auto server we'll choose ldap group okay there we go all right back to our fortigate if we try and authenticate with just the certificate it's expected to fail so we'll just disconnect here we need to edit the connection and add xoth authentication and then additionally put in the correct username and password credentials that are going to get checked against the ldap server as well as our correct certificate and then now it should be successful there we have it alright so in case you need some troubleshooting tools i have a suggested video on uh ipsec troubleshooting and that includes die debug application ike minus one but additionally we can do diag debug application fn band so that's uh f as in foxtrot n as in nancy b a m um d is in delta and then we can also go die debug enable to start the debug and then you know when we connect with our correct credentials now we're going to have information both about ipsec due to the ike command and information about certificate authentication due to the fn band debug that we have running there so if you ever run into any issues you know start taking a look through the bugs and and find it that way all right so that wraps things up for this video thanks for joining in and we'll see in the next one