NIVEL DE ESTUDIOS

In order to configure FortiGate for certificate authentication, you must import the root CA certificate on FortiGate. The root CA generates and signs user certificates and is necessary to verify the validity of any user certificate being used to authenticate.

You must then create a PKI peer user on FortiGate and add the PKI peer user to a firewall user group. Finally, you must install the PKI peer user's digital certificate in the personal certificate store of their computer (Local-Windows).

Once configured, you can test certificate authentication by logging into SSL VPN.

Note: All certificates have been pre-generated for you by FortiAuthenticator—a user authentication and identity management appliance. Keep in mind that you can generate certificates using many different applications or purchase certificates from various certificate providers. As such, this lab focuses on importing certificates rather than certificate generation.

Importing the Root CA on FortiGate

In this exercise, you will import the pre-generated root CA into FortiGate.

To import a CA certificate

1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at 10.0.1.254.

2. Go to System > Certificates.

3. Click Import and select CA Certificate from the drop-down menu.

4. From the Import CA Certificate dialog box, select Local PC and browse to Desktop > Resources > FortiGate-II > Certificates and select FortiAuthCA.crt.

Note: This CA certificate is generated by FortiAuthenticator.

5. Click OK.

The CA certificate CA_Cert_1 (CN = FortiAuthCA) is added to the Certificates page under External CA Certificates.

Creating a PKI Peer User

In order for FortiGate to recognize PKI users, the user must be added to FortiGate as a PKI peer user. In this exercise, you will create a PKI user called aduser2. The first PKI user you add to FortiGate must be added through the CLI (subsequent users can be added directly through the FortiGate GUI).

To create a PKI peer user account

1. In Local-Windows, open PuTTY and connect to the LOCAL-FORTIGATE saved session (connect over SSH).

2. Log in as admin and type the following command to add a PKI peer user: config user peer

edit aduser2 set ca CA_Cert_1 set two-factor enable set passwd Training! end

Note: CA_Cert_1 is the name of the CA certificate you imported in the previous procedure. The common name of the certificate (cn) is FortiAuthCA.

3. Close PuTTY.

4. To confirm the PKI peer user you just created was added successfully in the FortiGate GUI, refresh your browser and go to User & Device > PKI.

Remember, the PKI page appears only once you add your first PKI peer user through the CLI.

Note: You now have the option to create subsequent PKI peer users directly through the FortiGate GUI, as the PKI page is now visible. No additional users are required for this lab, however.

Assigning a PKI Peer User to a User Group

In this procedure, you will assign your PKI peer user to a firewall user group called PKI-users. This way, you can configure firewall policies to act on the firewall user group.

LAB 8–Certificate Operations

Generally, groups are used to more effectively manage individuals that have some kind of shared relationship.

Note: The PKI-users group was pre-configured for you. However, it needs to be modified to add the PKI peer user you created (aduser2).

To assign a PKI peer user to a firewall group

1. In the FortiGate-Local GUI, go to User & Device > User Groups and edit the PKI-users group. 2. From the Members drop-down list, select the peer user aduser2.

3. Click OK.

Adding the PKI Peer User Group to your Firewall Policy

Now that the PKI peer user is added to the PKI-users firewall user group, you can add the group to a firewall policy. This allows you to control access to network resources, as policy decisions are applied to the group as a whole.

Since your PKI peer user will be authenticating over SSL-VPN, you will add the group to a SSL-VPN firewall policy.

Note: Configuring SSL-VPN is out of scope for this lab. As such, the SSL-VPN settings have been pre-configured for you. However, you still need to configure the SSL-VPN firewall policy and add the PKI-users group to it.

To add the remote user group to your firewall policy

1. In the Local-FortiGate GUI, go to VPN > SSL-VPN Settings and click the warning message at the top of the page.

Clicking this warning message will create a new SSL-VPN policy for you using these pre- configured settings.

2. Complete the following:

Field Value

Outgoing Interface port1

© FORTINET

Source LOCAL_SUBNET

PKI-users (click the User tab to locate this group) Destination Address all

Schedule always

Service ALL

Action ACCEPT

3. Click OK. 4. Click OK.

The SSL-VPN Settings page appears and provides the URL for the SSL Web mode access. You will use this URL later in testing.

Installing the User Certificate in the Browser

Finally, because this lab environment uses Firefox as the browser, you must install the aduser2 user certificate in the Firefox browser. Unlike Internet Explorer and Chrome, which use the Windows repository to store certificates, Firefox uses its own browser certificate repository.

Note: If using a browser other than Firefox, the user certificate would be stored in the personal certificate store of the user's computer.

Once the user certificate is stored in the Firefox browser, Firefox automatically accesses this location in order to locate the certificate, when prompted.

To install the user certificate in Firefox browser

1. In the Local-Windows VM, open a new tab in the Firefox browser. 2. Click the menu icon from the top-right corner and select Options.

LAB 8–Certificate Operations

3. Click Advanced from the left menu, and then click the Certificates tab in the main window. 4. Click View Certificates.

The Certificate Manager appears.

© FORTINET

5. Click the Your Certificates tab and click Import.

6. Browse to Desktop > Resources > FortiGate-II > Certificates and select aduser2. 7. When prompted for a password, enter fortinet and click OK.

8. Click OK.

The aduser2 certificate issued by FortiAuthCA is added to the browser.

9. Click OK to close the Certificate Manager. 10. Close the Options browser tab.

Testing Certificate Authentication

For the purposes of this lab, you will authenticate with a certificate over SSL VPN (Web mode). Based on the SSL VPN firewall policy you configured, aduser2 will be prompted to authenticate using a certificate.

As you are logging into the web mode SSL VPN over Firefox, it will automatically check the Firefox browser certificate repository for a user certificate.

LAB 8–Certificate Operations

To test certificate authentication

1. Open a new browser tab and go to the VPN Web mode access at https://10.0.1.254:10443. The site requests you identify yourself with a certificate. It automatically points to the aduser2 certificate stored in the personal certificate store on the Local-Windows VM.

2. Click OK.

3. If you receive an error that indicates your connection is not secure, click Advanced and then select Add Exception.

The login screen appears with the username already prefilled. 4. Enter Training! as the password and click Login.

You successfully logged in with a certificate.

5. From the top-right corner, log out of the SSL VPN portal. 6. Close the SSL VPN browser tab.