Skip to main content
kallbrandt
kallbrandt
New Member
August 13, 2019
Question

Bug in 6.0.6 SSLVPN/LDAP user auth?

  • August 13, 2019
  • 1 reply
  • 10340 views

Just my findings about this. Someone else might be drowning in the same marsh..

 

I had serious problems with a client's 600D not honoring the configured LDAP groups for VPN authentication. It turned out that the Fortigate authenticated all users against radius... No radius users are configured. But during the auth sequence, the firewall check for radius config, then tacacs config, then ldap. If it finds a radius server, it proceeds to authenticate the users on that! I am still waiting for the TAC to tell me if this really is the expected behaviour, but I suspect not. It would be impossible to use more then one type of authentication server then. Well, as it is now at least. The solution for me was to remove the radius config - Hey presto! LDAP works, groups are honored!

 

Or wait, there was a 2nd snafu: LDAPS was configured, all checks were green in gui. But LDAP auth fails with "unsupported protocol" when you do your diag debug on auth...

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    August 13, 2019

    My understanding was it's supposed to send an auth request to all remote auth servers configured in the group(s). I don't know the exact decision making process if multiple servers replied with conflicting answers: "pass" and "deny", though. Was that working fine with 6.0.5? Or which version did you upgraded the 600D from, then found this problem?

    kgipe
    kgipe
    New Member
    August 14, 2019

    We actually just ran into this same issue and have a ticket in on it.  In our case, we added in a new Radius server and user group but had not even applied it anywhere and it started trying to authenticate SSL VPN users against it.  I don't know if it was the same on 6.0.5 as I added the Radius server in after upgrade.

    kallbrandt
    kallbrandtAuthor
    New Member
    August 14, 2019

    kgipe wrote:

    We actually just ran into this same issue and have a ticket in on it.  In our case, we added in a new Radius server and user group but had not even applied it anywhere and it started trying to authenticate SSL VPN users against it.  I don't know if it was the same on 6.0.5 as I added the Radius server in after upgrade.

    Aha! That kinda screams bug to me... We upgraded the firewall all the way from 5.2.14 -->6.0.6 via the supported upgrade path. I don't know about the firmware versions inbetween, but this was not a problem in 5.2.13.

    Anyway, for our setup, it is solvable, but if you depend on your radius for other things, you're kinda toast right now. Let's hope for a fix soonish.

    Terms & ConditionsAccessibility statement