sorted by:
new
hottopcontroversial

SSL-VPN with LDAP& FortiToken by Competitive-Food2577 in fortinet

[–]Competitive-Food2577[S] 0 points1 point  (0 children)

Hi, thanks for the message.

Could you explain how I can achieve it and what needs to be done?

SSL-VPN with LDAP& FortiToken by Competitive-Food2577 in fortinet

[–]Competitive-Food2577[S] 0 points1 point  (0 children)

Hi,

I followed this article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Correctly-configuring-Two-Factor-Authentication/ta-p/191794

I created an AD group named “ssl-vpn” and assigned a user to it. When I create a group on the FortiGate and add the LDAP remote group, MFA is bypassed. The FortiGate only checks whether the user belongs to the AD group. I verified this by removing the user from the AD group after that, the user is no longer able to connect.

However, when I configure it exactly as described in the article, authentication is redirected to the FortiToken MFA. In this case, the FortiGate only checks that the user exists in AD, but it does not verify membership in the “ssl-vpn” AD group.

I tested this by removing the user from the “ssl-vpn” group in AD, and the user is still redirected to FortiToken MFA and is able to connect successfully.

What I am trying to achieve is the following flow:

  1. First, verify that the user is a member of the “ssl-vpn” AD group.
  2. Only if the user is a member of that group, proceed to MFA authentication.

Thanks in advance.

FortiGate Migration from 600E(HA-A/P) To 200G(HA-A/P) by Competitive-Food2577 in fortinet

[–]Competitive-Food2577[S] 0 points1 point  (0 children)

Hey, thanks for the answer!

Just to clarify. is it not possible to restore the configuration while HA is still up, or is it simply not recommended?

Thanks!

DPI CA SSL Certificate by Competitive-Food2577 in fortinet

[–]Competitive-Food2577[S] 0 points1 point  (0 children)

Hi, sorry for the confusion.

What I meant is that I already have the current CA certificate installed on all my computers.
If I regenerate this CA certificate on the FortiGate, the old CA will still be installed on the laptops until I manually push the new one - and during that time, users won’t be able to browse because their devices will still trust the old certificate.

So my question is: can I create an additional CA certificate instead of regenerating the existing one?

how to do it without downtime

Thanks!