FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anthony_E
Community Manager
Community Manager

Description
This article describes how to authenticate remote LDAP users and local users via SSLVPN under the same User Group on FortiGate.

Solution
Configure step by step, test and troubleshoot SSLVPN web mode authentication on FortiGate using local user and remote LDAP user.

1) Create local users 'student' and 'student1'  CLI / GUI.

# config user local
    edit "student"
        set type password
        set passwd PasswordStudent
    next
    edit "student1"
        set type password
        set passwd PasswordStudent1
    next
end

 
 
2) Configure LDAP server  CLI / GUI.
# config user ldap
    edit "MyLDAP"
        set server "10.133.4.242"
        set cnid "sAMAccountName"
        set dn "DC=mywork,DC=local"
        set type regular
        set username "CN=Administrator,CN=Users,DC=mywork,DC=local"
        set password secretLDAPpassword
    next
end



3) Create User Group “SSLVPN”, add local users and Remote Server 'MyLDAP'.
# config user group
    edit "SSLVPN"
        set member "MyLDAP" "student" "student1"
            # config match
                edit 1
                    set server-name "MyLDAP"
                    set group-name "CN=test,OU=test,DC=mywork,DC=local"
                next
            end
        next
    end



 
 
4)Configure SSLVPN.
# config vpn ssl settings  
    # config authentication-rule

        edit 1
            set groups "SSLVPN"
            set portal "web-access"
        next
    end
end
5)Configure firewall policy and add 'SSLVPN' group to the Source field.
# config firewall policy
    edit 0
        set name "IncomingSSLVPN"
        set srcintf "ssl.root"
        set dstintf "port4"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set groups "SSLVPN"
    next
end 
TROUBLESHOOTING.

1) Test user authentication and debug logs.

- Test existing LDAP user 'test.user' via CLI.
# diagnose test authserver ldap MyLDAP test.user Password12
authenticate 'test.user' against 'MyLDAP' succeeded!
Group membership(s) - CN=Domain Users,CN=Users,DC=mywork,DC=local
- Login remote via SSL-VPN Portal , Monitor and debug SSL-VPN.
 
 
 
 
 
# diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
 
# diagnose debug enable

[359:root:4b]sslvpn_authenticate_user:191 authenticate user: [test.user]
[359:root:4b]sslvpn_authenticate_user:198 create fam state
[359:root:4b]fam_auth_send_req:583 with server blacklist:
[359:root:4b]fam_auth_send_req_internal:461 fnbam_auth return: 4
[359:root:4b]Auth successful for group SSLVPN
[359:root:4b]fam_do_cb:654 fnbamd return auth success.
[359:root:4b]SSL VPN login matched rule (1).
2) Login to the SSL-VPN portal with the local user 'student', monitor and debug SSL-VPN.
 
 

 
 
# diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
 
# diagnose debug console timestamp enable
 
# diagnose debug enable

2020-04-16 10:32:39 [359:root:33]sslvpn_authenticate_user:191 authenticate user: [student]
2020-04-16 10:32:39 [359:root:33]sslvpn_authenticate_user:198 create fam state
2020-04-16 10:32:39 [359:root:33]fam_auth_send_req:583 with server blacklist:
2020-04-16 10:32:39 local auth is done with user 'student', ret=0
2020-04-16 10:32:39 [359:root:33]fam_auth_send_req_internal:461 fnbam_auth return: 0
2020-04-16 10:32:39 [359:root:33]fam_auth_send_req_internal:470 authentication OK
2020-04-16 10:32:39 [359:root:33]fam_do_cb:654 fnbamd return auth success.
2020-04-16 10:32:39 [359:root:33]SSL VPN login matched rule (1).                   <----- The rule refers to the section 'config authentication-rule' in the SSLVPN settings or the GUI order or the portal matching. First rule matching will stop processing.
3) Login to the SSL-VPN portal with the local user 'student1', monitor and debug SSL-VPN.
 
 
 
 
 
# diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
 
# diagnose debug enable

[359:root:3c]sslvpn_authenticate_user:191 authenticate user: [student1]
[359:root:3c]sslvpn_authenticate_user:198 create fam state
[359:root:3c]fam_auth_send_req:583 with server blacklist:
[359:root:3c]fam_auth_send_req_internal:461 fnbam_auth return: 0
[359:root:3c]fam_auth_send_req_internal:470 authentication OK
[359:root:3c]fam_do_cb:654 fnbamd return auth success.
[359:root:3c]SSL VPN login matched rule (1).
Note: 
In case the LDAP contains a user called 'student' (same as local user) , then LDAP user will take precedence and local user with an assigned token can be overridden.

Related Articles

Technical Note - Configuring Remote LDAP users with Two-Factor Authentication

Comments
bmeta
Staff
Staff

Excellent!

Contributors