Technical Tip: Unable to authenticate SSL VPN while firewall policy source interface is set to Any

Description

This article describes why remote users are unable to authenticate when the SSL VPN firewall policy has 'any' as the source interface.

Scope

FortiGate, SSL VPN.

Solution

If the 'Multiple interface policies' option is enabled under feature visibility, it allows configuring policies with multiple source/destination interfaces or using 'any' as a source/destination interface.

If there are multiple policies for SSL VPN using the 'ssl.root' tunnel interface and 'any' as the source interface, the policies with 'any will not be triggered.

 In this example, two policies were created:

1. Firewall policy with interface 'any' allowing remote LDAP/Radius users that belong to an 'SSLVPN_LDAP_admin' group;

2. The firewall policy with the 'ssl.root' interface allows remote LDAP/Radius users that belong to an 'SSLVPN_LDAP_users' default group.

If a user from the 'SSLVPN_LDAP_admin' group attempts to authenticate, the fnbamd process will exit with a 'Failed group matching' message, and the result will return to the SSL-VPN process, which will terminate with an 'invalid username/password' message.

To run SSL VPN debug commands, refer to the following article: Troubleshooting Tip: SSL VPN troubleshooting.

[2863] fnbamd_ldap_result-Failed group matching
[209] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 558161773, len=2856
[7658:root:1c]fam_auth_proc_resp:1371 fnbam_auth_update_result return: 1 (invalue username/password)
[7658:root:1c]login_failed:405 user[jfelix],auth_type=16 failed [sslvpn_login_permission_denied]

This could indicate a missing policy for that particular group 'SSLVPN_LDAP_admin'. After changing the source interface from 'any' to the ssl.root interface, it is possible to authenticate with a user that is a member of the 'SSLVPN_LDAP_admin' group.

Related article:
Technical Tip: SSL VPN RADIUS authentication failed group matching despite user group configured