Client device certificate authentication with multiple groups
Supported Fortios version 5.6.2
In the following example, we require clients connecting to a FortiGate SSL VPN to have a device certificate installed on their machine in order to authenticate to the VPN. Employees (in a specific OU in AD) will be required to have a device certificate to connect, while vendors (in a separate OU in AD) will not be required to have a device certificate. In VPN > SSL-VPN Settings, do not enable Require Client Certificate, but selectively enable client-cert in each authentication-rule based on the requirements through CLI instead. The following example assumes that remote LDAP users/groups have been pre-configured.
config vpn ssl settings
set reqclientcert disable
set reqclientcert disable
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set port 443
set source-interface "wan1"
set source-address "all"
set default-portal "full-access"
config authentication-rule
edit 1
set groups "Employee"
set portal "tunnel-access"
set realm ''
set client-cert enable
set cipher high
set auth any
next
edit 2
set groups "Vendor"
set portal "tunnel-access"
set realm ''
set client-cert disable
set cipher high
set auth any
next
end
edit 1
set groups "Employee"
set portal "tunnel-access"
set realm ''
set client-cert enable
set cipher high
set auth any
next
edit 2
set groups "Vendor"
set portal "tunnel-access"
set realm ''
set client-cert disable
set cipher high
set auth any
next
end
end
config user group
edit "Employee"
set member "user1"
next
edit "Vendor"
set member "user2"
next
end
Configure the remainder of the SSL VPN tunnel as normal (creating a firewall policy allowing SSL VPN access to the internal network, including the VPN groups, necessary security profiles, etc.).
If configured correctly, only the 'Employees' group should require a client certificate to authenticate to the VPN.