Troubleshooting Tip: MAC Address Check Failure When Connecting via SSL VPN
Description
This article describes how to troubleshoot MAC Address Check failures when connecting through SSL VPN.
Scope
FortiGate.
Solution
If users can log in to SSL VPN without having their MAC addresses allowed in the SSL web portal, it may be due to incorrect MAC addresses being permitted.
Ensure that the following MAC addresses are not added. Otherwise, remove them from the SSL web portal: '00:09:0F:FE:00:01 and 00:09:0f:aa:00:01'.
config vpn ssl web portal
edit <portal_name>
config mac-addr-check-rule
edit <rule_name>
unselect mac-addr-list [address] <-----
next
end
next
end
If the issue persists, verify that the user is authenticated through the correct authentication portal that has the MAC address check rule enabled.
To verify the user is authenticated to the correct portal, use the below debug command :
diagnose debug reset
diagnose vpn ssl debug-filter src-addr4 x.x.x.x ------------------> Client public IP.
diagnose debug application sslvpn -1
diagnose debug enable
To stop the debug :
diagnose debug disable