Troubleshooting Tip: SSL VPN connection fails (sslvpn_login_permission_denied) with error 'Failed group matching'
| Description | This article describes how to troubleshoot the 'Failed group matching' error while an SSL VPN user authenticates with the LDAP server. |
| Scope | FortiGate |
| Solution | The SSL VPN connection would fail with the error 'sslvpn_login_permission_denied'. FNBAMD debugs on the FortiGate, as below, would show authentication failing with the error 'Failed group matching'. diagnose debug disable diagnose debug reset diagnose debug console timestamp enable diagnose debug application fnbamd -1 diagnose debug enable Failure log snippet from fnbamd debugs: [984] __ldap_next_state-State: Primary Group Query -> Done [1982] ldap_copy_grp_list-copied CN=FW-AD-GRP,OU=SECURITY,OU=CORPORATE,DC=LABLOCAL,DC=CO,DC=IN [1982] ldap_copy_grp_list-copied CN=FW-NON-AD-GRP,OU=SECURITY,OU=CORPORATE,DC=LABLOCAL,DC=CO,DC=IN [1982] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=LABLOCAL,DC=CO,DC=IN [627] fnbam_user_auth_group_match-req id: 6748847559694, server: LAB-LDAP, local auth: 0, dn match: 1 [581] __group_match-Check if LAB-LDAP is a group member [581] __group_match-Check if LAB-LDAP is a group member [208] find_matched_usr_grps-Failed group matching Verify the groups configured on the FortiGate for VPN access config authentication-rule edit 1 set groups "SSLVPN-FW-AD-GRP" set portal "SSLVPN-FW-AD-GRP" next edit 2 set groups "SSLVPN-FW-NON-AD-GRP" set portal "SSLVPN-FW-NON-AD-GRP" next end config user group edit "SSLVPN-FW-AD-GRP" set member "LAB-LDAP" config match edit 1 set server-name "LAB-LDAP" set group-name "CN=FW-AD-GRP,OU=SECURITY,OU=FINANCE,DC=LABLOCAL,DC=CO,DC=IN" next end next end The group mismatch is expected in this scenario, as the OU returned by the LDAP server and the OU configured on FortiGate do not match.
Based on the groups returned in the debug, configuration can be modified on the FortiGate end, which will resolve the issue. Note:
|