Skip to main content
jbickel
jbickel
New Member
January 16, 2017
Question

Unable to connect IPSEC VPN via FSSO (wrong credentials)

  • January 16, 2017
  • 2 replies
  • 12202 views

New to Fortigate devices, so I'm hoping I can find some help here.  I did search through the forum first, and found similar issues, but nothing that could help me.

 

Using a Fortigate 60E running 5.4.1 and using the GUI to set this up.  These are the steps I took:

1. Configured LDAP server (it is connecting to Windows 2008 R2).

2. Configured single sign on

3. Created FSSO group pointing to a Distribution Group on the Windows box.

 

The Fortigate device does connect correctly to LDAP as I am able to read AD with no problems.  I then used the VPN wizard to set up a remote access VPN using the FortiClient.  When I get to the point where I select users, I can only select local Fortigate user groups; the FSSO group I made was not an option.

 

4. I then made a local group where the member is the FSSO group.

5. When creating the VPN, I chose the local group (which contains the FSSO group).

 

Even though the Fortigate sees the AD stuff and I was able to choose a Dist Group within it, I still get a wrong credentials error when I try to connect.  I tried other settings within the FortiClient as well, but to no avail.

What am I missing?

    2 replies

    MikePruett
    MikePruett
    New Member
    January 16, 2017

    Shouldn't it be a security group instead of a distro group?

    jbickel
    jbickelAuthor
    New Member
    January 17, 2017

    @MikePruett - I was wrong, it is a security group.  Sorry about the bad info.

     

    @silver - "As you have DC/AD acting as an LDAP server, then I would suggest to use LDAP based user group to authenticate VPN users."  -  I was hoping to set this up so that when a remote user attempted to connect with the FortiClient, that it could look at a group on the AD server and use those credentials (if the user is a member) to authenticate them to the VPN.  I tried the following with no success...

     

    1. Make firewall user group that points to a remote LDAP server.

    2. Select correct Security Group from LDAP selection.

     

    From everything I have read in the manual and online, the above should work, but I still receive the wrong credentials error.

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    January 17, 2017

    Hi jbickel,

     

    I think you are probably missing the tech background on FSSO. The users appear in FSSO user list (diag debug authd fsso list) AFTER they authenticate to MSFT Domain.

    As the user authenticate against the DC, that logon is spotted by FSSO environment (either via agent or polling), processed and shortly AFTER the FortiGate is notified that such user and his SOURCE IP is authenticated. As FSSO is basically source-ip pre-authentication. Therefore any traffic from that source is then considered as authenticated by that user.

     

    If the user is trying to connect to LAN via VPN, and therefore haven't been authenticated against DC as he has no chance to reach DC, yet, then he cannot be on FSSO user list, yet.

     

    Hope it's clear at least a tiny bit more, now.

     

    As you have DC/AD acting as an LDAP server, then I would suggest to use LDAP based user group to authenticate VPN users.

    Terms & ConditionsAccessibility statement