Authenticating administrators with security certificates
You can install a certificate on the management computer to support strong authentication for administrators. When a personal certificate is installed on the management computer, the FortiGate unit processes the certificate after the administrator supplies a username and password.
To enable strong administrative authentication:
- Obtain a signed personal certificate for the administrator from a CA and load the signed personal certificate into the web browser on the management computer according to the browser documentation.
- Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients on page 118 ).
- Create a PKI user account for the administrator. l Add the PKI user account to a firewall user group dedicated to PKI-authenticated administrators.
Configuring certificate-based authentication
- In the administrator account configuration, select PKI as the account Type and select the User Group to which the administrator belongs.
Support exact match for subject and CN fields in peer user
In order to avoid any unintentional admin access by regular users, administrators can specify which way a peer user authenticates.
When searching for a matching certificate, use the commands below to control how to find matches in the certificate subject name (subject-match) or the cn attribute (cn-match) of the certificate subject name. This match can be any string (substring) or an exact match (value) of the cn attribute value.
To determine certificate subject name matches – CLI:
config vpn certificate setting edit <name> set subject-match {substring | value} set cn-match {substring | value}
next
end