Skip to main content
dethangel
dethangel
New Member
April 24, 2013
Question

User not able to authenticate to LDAP

  • April 24, 2013
  • 3 replies
  • 10976 views
Guys i' m facing a problem and need a little input. I' ve successfully configured Fortinet to link up with my AD/LDAP. Test link is successful. But i' m facing a peculiar error. Via the SSL portal: 1. Using domain Administrator login, i' m able to login to the SSL portal BUT 2. Using any other userid, would result in an " Error:Permission denied " A check within the " Event Log" shows - Reason no_matching_policy ALTHOUGH - User login/password is correct I' m running on 4.0 MR3 Patch 11. Appreciate some help/advise as i' m already stumped.

    3 replies

    rwpatterson
    rwpatterson
    New Member
    April 24, 2013
    Welcome to the forums. From the CLI, please show us the policy that' s allowing SSL VPN access:
      FGT # show firewall policy <policy_ID>
    dethangel
    dethangelAuthor
    New Member
    April 26, 2013
    Hi Guys.. Thanks for the welcome. Apologies for the late reply. Anyway the policy that' s allowing WAN -> Internal for SSL VPN as follows: config firewall policy edit 17 set srcintf " wan1" set dstintf " internal" set srcaddr " all" set dstaddr " NB Int IP Allow All" set action ssl-vpn set identity-based enable config identity-based-policy edit 1 set schedule " always" set groups " VPNUSERS-SSL" set service " ANY" next end next end ssl.root -> Internal config firewall policy edit 19 set srcintf " ssl.root" set dstintf " internal" set srcaddr " all" set dstaddr " NB Int IP" set action accept set schedule " always" set service " ANY" next end Kindly advise. My policy group/name checks out ok as i' ve derived the results obtained via both via the server command line: LDAP query access: 1. dsquery user -name " ldapuser" - I have tried this as domain administrator - but i' ve gotten the same results. LDAP group: 2. dsquery group -name " Mobile Users" I' m really stumped this time.
    apex
    apex
    New Member
    April 29, 2013
    Hi dethangel, What' s the output when you query your ldap from cli? ie: # diag test authserver ldap yourLDAPserverNAME username ADpassword Is your firewall user group ' VPNUSERS-SSL' pointing at your LDAP server? Thanks, A
    apex
    apex
    New Member
    April 25, 2013
    Hi dethangel, can you confirm that you have a firewall user group, pointing at remote authentication server (your LDAP), allow ssl-vpn access to your portal here, and the ssl firewall policy has this user group listed under configure ssl-vpn users. Thanks, A
    ipranger
    ipranger
    New Member
    June 29, 2013
    Only Attripute " Group of Names" works in LDAP correctly with fortiOS.
    rwpatterson
    rwpatterson
    New Member
    June 30, 2013

    Take a look here for some insight: https://forum.fortinet.com/FindPost/81337

    Terms & ConditionsAccessibility statement