Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Nik
New Contributor II

Problem with security groups and ldap users

Hi,

We have discovered that several users seem to end up in several LDAP groups when they connect via vpn client (forticlient). Every user is a member of a specific group on our Active Directory and even though they are not member of a certain group, when they connect via vpn client I can see that they end up in these User Group.

For example:

Lets say we have these groups under the User & Authentication -> User Groups:

- Group 1 (remote group 1)
- Group 2 (remote group 2)
- Group 3 (remote group 3)

Remote group 1, 2 and 3 are groups that are created on the AD server and synced with the User Groups on fortigate.

User A is a member on remote group 1 on the AD, but when he log in via vpnclient, even though it is not a member of the remote group 2 on the AD, he ends up even in this group on the fortigate. 

We are running FortiOS v6.4.8. 

Does anyone has any idea why is the fortigate behaving like this?

Best Regards
1 REPLY 1
johnathan
Staff
Staff

We can see specifically how the FortiGate matches these groups if we run a debug while one of the users logs in. Kindly execute the following commands and post the output here:
di de res

di de app fnbamd -1
di de en

When you're done:
di de res
di de di

"Never trust a computer you can't throw out a window."
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.