Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

tonyo
New Contributor

SSL VPN realms with Active Directory (LDAPS) authentication: fails when user is a member of multiple AD groups

Hi

I have an FG500E cluster configured for SSL VPN with multiple realms (users, itstaff, other).
I'm remote authenticating to MS Active Directory.
user realm points to AD group "users"
itstaff realm points to AD group "itstaff"
other realm points to AD group "other"

There is a search order performed by the Fortinet against the MS AD LDAP(S) server.
If the end-user is a member of only one AD group, and they specific the appropriate realm, all is fine.
if the end-user is a member of multiple AD groups (ie a member of both "users" and "itstaff")....
- if they specify the "users" realm, the auth fails (as the first AD hit/match is on the "itstaff" permission group).
- if they specify the "itstaff" realm, the auth succeeds (as the first AD hit/match is on the "itstaff" permission group).

This was not the case from 5.6.x thru (at least) 6.2.7.
(i.e. the above scenario worked fine.)

When we recently updated from 6.2.7 to 6.4.6, the issue manifested itself.
So, somewhere between 6.2.7 and 6.4.6 this 'bug' appeared.

I placed a ticket with fortinet support:

- first level: reproduce the issue (then it was bumped up to the second level).
- second level: reproduced the issue (no bug reports identified).

Q: Has anyone come across this before?
Q: Has anyone identified a workaround/fix?

Thank you in advance.

--tony

0 REPLIES 0
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.