Troubleshooting Tip: SSL VPN Debugs Error: 'sslvpn_login_unknown_user'
Description
This article describes potential causes for the 'sslvpn_login_unknown_user' error seen in the SSL VPN process (sslvpnd) debug output. In these scenarios, assume that SSL VPN Realms are configured, though Scenario #2 is also valid for non-Realm configurations.
Scope
FortiGate.
Solution
User Scope: Local.
Username: test_user.
User Group: SSLVPN_user_group.
SSL VPN configuration:
FortiGate-KVM # show vpn ssl settings
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 4443
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 1
set groups "SSLVPN_user_group" <----- User Group.
set portal "full-access" <----- Portal name.
set realm "VPN-Users" <----- Realm is mapped.
next
end
end
Run the debugs:
diagnose debug disable
diagnose debug reset
diagnose debug application sslvpn -1
diagnose debug enable
Note:
To stop the debug, run the following commands:
diagnose debug disable
diagnose debug reset
Output scenario 1: Accessing the SSL VPN without specifying a Realm:
[327:root:a5]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
[327:root:a5]rmt_logincheck_cb_handler:1283 user 'test_user' has a matched local entry. <----- User Matched.
[327:root:a5]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy.< ---- Checking for User Group reference.
[327:root:a5]sslvpn_auth_check_usrgroup:3008 got user (0) group (1:0).
[327:root:a5]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm () <----- 'realm' is empty, which means that the Realm was not specified/accessed.
[327:root:a5]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.
[327:root:a5]sslvpn_validate_user_group_list:1978 checking rule 1 realm.
[327:root:a5]sslvpn_validate_user_group_list:2864 got user (0:0), group (0:0) peer group (0).
[327:root:a5]sslvpn_update_user_group_list:1792 got user (0:0), group (0:0), peer group (0) after update.
[327:root:a5]no valid user or group candidate found
[327:root:a5]login_failed:391 user[test_user],auth_type=32768 failed [sslvpn_login_unknown_user]<----- User/User Group verification failed.
[327:root:0]dump_one_blocklist:93 status=1;host=192.168.2.128;fails=1;logintime=1668480661
User FortiClient Settings:
Solution:
When using Realm for Users/User Groups, make sure that the client software (either FortiClient's Remote Gateway field or a web browser's URL) includes the correct Realm.
Correct Remote Gateway: https://192.168.2.110:4443/VPN-Users
Note:
SSL VPN Realms are case-sensitive (e.g., 'VPN-Users' vs. 'vpn-users'). If the incorrect case is used, then the Realm will not be matched, and connections/authentication will instead match the default Realm.
Output scenario 2: Accessing the SSL VPN using the correct Realm:
[327:root:b5]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
[327:root:b5]rmt_logincheck_cb_handler:1283 user 'test_user' has a matched local entry. <----- User Matched.
[327:root:b5]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy. <----- Checking for User Group reference.
[327:root:b5]sslvpn_auth_check_usrgroup:3008 got user (0) group (1:0).
[327:root:b5]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm (VPN-Users). <----- REALM website is accessed.
[327:root:b5]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.
[327:root:b5]sslvpn_validate_user_group_list:1978 checking rule 1 realm.
[327:root:b5]sslvpn_validate_user_group_list:1989 checking rule 1 source intf.
[327:root:b5]sslvpn_validate_user_group_list:2028 checking rule 1 vd source intf.
[327:root:b5]sslvpn_validate_user_group_list:2570 rule 1 done, got user (0:0) group (0:0) peer group (0).
[327:root:b5]sslvpn_validate_user_group_list:2864 got user (0:0), group (0:0) peer group (0).
[327:root:b5]sslvpn_update_user_group_list:1792 got user (0:0), group (0:0), peer group (0) after update.
[327:root:b5]no valid user or group candidate found.
[327:root:b5]login_failed:391 user[test_user],auth_type=32768 failed [sslvpn_login_unknown_user] <----- However, User/User Group verification had failed.
[327:root:b5]req: /remote/login?realm=VPN-Users&err=sslvpn
Solution:
Check the Firewall Policies related to the SSL VPN and confirm that the desired User/User Group has been included.
Incorrect:
config firewall policy
edit 1
set name "ssl_access"
set srcintf "ssl.root"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set groups "Guest-group" <----- User Group list is missing 'SSLVPN_user_group'.
next
end
Correct:
config firewall policy
edit 1
set groups "SSLVPN_user_group" <----- Correct user group.
next
end
Output Scenario 3: LDAP user logging in to FortiClient:
[296:InternetFW:1e0]sslvpn_authenticate_user:203 authenticate user: [fortinet]
[296:InternetFW:1e0]sslvpn_authenticate_user:221 create fam state
[296:InternetFW:1e0][fam_auth_send_req_internal:432] Groups sent to FNBAM:
[296:InternetFW:1e0]group_desc[0].grpname = SSLVPN-LDAP-Group
[296:InternetFW:1e0][fam_auth_send_req_internal:444] FNBAM opt = 0X200421
[296:InternetFW:1e0]fam_auth_send_req_internal:513 fnbam_auth return: 4
[296:InternetFW:1e0]fam_auth_send_req:1011 task finished with 4
[296:InternetFW:1e0]fam_auth_proc_resp:1365 fnbam_auth_update_result return: 5 ((null))
[296:InternetFW:1e0][fam_auth_proc_resp:1371] An error happened updating the FNBAM response.
[296:InternetFW:1e0][fam_auth_proc_resp:1505] Authenticated groups (3) by FNBAM with auth_type (1):
[296:InternetFW:1e0]Received: auth_rsp_data.grp_list[0] = 0
[296:InternetFW:1e0]Received: auth_rsp_data.grp_list[1] = 0
[296:InternetFW:1e0]Received: auth_rsp_data.grp_list[2] = 13652720
[296:InternetFW:1e0]login_failed:480 user[fortinet],auth_type=1 failed [sslvpn_login_unknown_user]
Solution:
This can be observed when the FortiGate is upgraded to v7.4.4 or later, as there has been a change in behavior with regard to LDAPS requirements. If LDAPS/STARTTLS is configured, it is now mandatory to have the CA certificate of the LDAPS server imported onto the FortiGate and used in the configuration; otherwise, LDAPS authentication will no longer work.
Additionally, if 'Server identity check' is enabled, then the 'Server IP/Name' field must be set to an FQDN/IP that is included in the certificate's Common Name (CN) or Subject Alternative Name (SAN) fields. To import the CA certificate from the LDAP server, refer to Technical Tip: Configuring LDAP over SSL (LDAPS).
If the CA certificate cannot be imported immediately, then LDAPS can be disabled as a workaround (assuming the LDAP server still supports plaintext LDAP). This can be done by disabling 'Secure Connection' from the GUI or CLI, as per the following steps:
From the GUI:
Navigate to User & Authentication -> LDAP Servers, select the LDAP server entry, then toggle off Secure Connection.
From the CLI:
config user ldap
edit "fortinetLDAP"
set secure disable
next
end
Other possible causes for 'sslvpn_login_unknown_user':
- The user account is not configured on the FortiGate, irrespective of the user group mapping.
- The entered username has a typo, or case-sensitivity is enabled for the username (see also: Technical Tip: Local user, username case sensitivity and accent sensitivity).
- The SSL VPN may have Geo-IP restrictions that require the user to connect from an allowed IP (this can also impact users who are connecting from behind the FortiGate using a private IP).
- Secure LDAP is used and failed to establish an SSL connection with the error '[1101] __ldap_connect-tcps_connect(x.x.x.x) failed: ssl_connect() failed: 167772498'. There are multiple possible reasons for this error, and further troubleshooting may be required. A workaround can be implemented by temporarily using LDAP instead of LDAPS.
- There may be an authentication timeout on the RADIUS server when using Duo or other multi-factor authentication (MFA) solutions. To resolve this, increase the remote authentication timeout on the FortiGate:
config system global
set remoteauthtimeout 20
end
-
The error message may also occur in case the ciphersuite under 'config vpn ssl settings' has a lower strength than the ciphersuite in the authentication rule, which by default is 168 bits.
For example:
config vpn ssl settings
...
set ciphersuite TLS-AES-128-GCM-SHA256
...
end
-
In this case, the solution is to increase the strength of the ciphersuite to a higher value (>= 168 bits), or unset the ciphersuite to the default value.
The authentication rule has a source-interface configured that is different than the incoming traffic interface. This overrides the source-interface under config vpn ssl settings and will return sslvpn_login_unknown_user.
-
Using a different LDAP username format than the one configured on FortiGate. Refer to this KB article for more details: Technical Tip: Username format for LDAP authentication.
Related articles:
Technical Tip: Configuring LDAP over SSL (LDAPS)
Technical Tip: LDAPS connections no longer work after update to v7.4.4
Technical Tip: LDAPS/STARTTLS certificate issuer enforcement