Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

FahmAzla
New Contributor

SSLVPN LDAPS Not Working

Hello all,

We have configured LDAPS with secure connection, we already generate CA certificate from AD server and import into the Fortigate.
We have test login using Forticlient but it failed.

Action we have performed:
  • run > diagnose test authserver ldap <ad-server>  user1 password - the output success
  • We have tried to disable secure connection - able to login
  • change minimum SSL protocol to TLS v1 - still failed.
From debug log, we can see below logs, from here we can see "unknow user" but since we can login with secure connection, its should exists the user.
Line 4045: 2021-04-20 12:10:20 [320:root:29665][fam_auth_proc_resp:1343] An error happened authenticating user: user1
Line 4046: 2021-04-20 12:10:20 [320:root:29665]login_failed:272 user[user1],auth_type=16 failed [sslvpn_login_unknown_user]

Any idea on that?
4 REPLIES 4
VictGarc1
New Contributor

Hi,

What is your FortiOS version? Do you check release notes about your version?
FahmAzla

Hi Victor,

Current version 6.0.11, the issues already resolved after upgrade to 6.0.12, its bug. We log ticket to TAC as well, TAC confirmed it bug.

Thanks​​
SveN
New Contributor

Hi,

I can't remember the details. But a while back I had something similar with a customer. Useres tried to connect to a Fortigate located in Asia with authentication against a LDAP in Germany. And the delay betwen the location in Asia and Germany was to high. We increased the LDAP timeout so 600 (I believe default ist 50ms) and all is wokring since then:
config system global
set ldapconntimeout 600 <===
end
Hope it helps...
FahmAzla
New Contributor

Hi Sven,

Thank for sharing, Since we have multiple sites, I will increase ldaptimeout. 

Thanks
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.