Skip to main content
Levi
Levi
New Member
May 10, 2017
Question

LDAP users cannot login to SSL VPN

  • May 10, 2017
  • 2 replies
  • 25405 views

Hi Folks,

 

I have an issue with a new SSL VPN on my Fortigate 3240fgt running 5.2.10.  It is set up the same as a working SSL-VPN in a different vdom on the same device.

 

If I login to the SSL VPN portal using a locally configured user on the Firewall it is succesfull.  However if I try with my AD account it is not succesfull.   Debuging does not even show a single packet trying to reach the domain controller.   But the Test function in the LDAP server section is succesfull (and packets can be seen when debuging).

 

Next oddity, when using my AD account the username is not propagated into the VPN events log, just user-N/A

But if I try a made up name (that does not have a local PKI user) the username is propagated into the VPN event log.

 

So it seems to me that after the Firewall confirms the PKI users exists it fails the authentication rather than forwrd the auth to AD.

 

These SSL VPNs have always been tricky, but I stumpped by this latest issue so would appreciate any assistance

 

Many Thanks

 

Levi

    2 replies

    emnoc
    emnoc
    New Member
    May 10, 2017

    I'm amaze on your diagnostic they are good ;)

     

    Here's what I would do, 

     

    >I would double check the   user group  for any match statements

     

    > I also would double check the config vpn ssl setting and any auth-rules

     

    > ensure the  Base dn search  is correct

     

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 10, 2017

    One thing I can tell based on a TT with TAC to verify authentication behavior was:

    - if a local user with a given name exists, it decides "success" or "fail" based on the config and stops there. Never go to the next step.

    - if a local user with a given name doesn't exist and remote authentication servers exist in the policy it tries all of them to see if any one of them gives a "success".

    - if none of remote auth servers in the policy gives a "success", goes to the next policy.

    TAC said they would document this somewhere since it's not available anywhere.

    emnoc
    emnoc
    New Member
    May 11, 2017

    Hmm..  I believe it falls the ssl vpn setting authentication rule.

     

    My testing shows if you have a rule preference and match local and the user is local it will pass/fall or local-only

    if the rule is remote-auth and it pass|fail it does not fall back to local

     

     

    e.g

     

       config authentication-rule             edit 1                 set source-interface "WAN1"                 set source-address "all"                 set groups "RWGRP1"                 set portal "tunnel-access"             next             edit 2                 set users "user1" "user2" "user3"                 set groups "RWGRP1"                 set portal "tunnel-access"             next         end

    user1 , 2 & 3 would be authenticated by  rule#2 

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 11, 2017

    In my case, we're not using authentication-rule in ssl settings. We simply put all into one group referred by a policy to be equal to all auth methods. So that's the condition for the behavior I described above. I assumed peer users would behave the same way local users do since it's locally configured.

    In any case, we need a better documentation.

    Terms & ConditionsAccessibility statement