Technical Tip: Authenticate remote and local users with a single group

# config user group
    edit "SSLVPN"
        set member "MyLDAP" "student" "student1"
            # config match
                edit 1
                    set server-name "MyLDAP"
                    set group-name "CN=test,OU=test,DC=mywork,DC=local"
                next
            end
        next
    end

 

 

4)Configure SSLVPN.

# config vpn ssl settings  
    # config authentication-rule
        edit 1
            set groups "SSLVPN"
            set portal "web-access"
        next
    end
end

5)Configure firewall policy and add 'SSLVPN' group to the Source field.

# config firewall policy
    edit 0
        set name "IncomingSSLVPN"
        set srcintf "ssl.root"
        set dstintf "port4"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set groups "SSLVPN"
    next
end 

TROUBLESHOOTING.

1) Test user authentication and debug logs.

- Test existing LDAP user 'test.user' via CLI.

# diagnose test authserver ldap MyLDAP test.user Password12
authenticate 'test.user' against 'MyLDAP' succeeded!
Group membership(s) - CN=Domain Users,CN=Users,DC=mywork,DC=local

- Login remote via SSL-VPN Portal , Monitor and debug SSL-VPN.

 

 

 

 

 

# diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
 
# diagnose debug enable
…
[359:root:4b]sslvpn_authenticate_user:191 authenticate user: [test.user]
[359:root:4b]sslvpn_authenticate_user:198 create fam state
[359:root:4b]fam_auth_send_req:583 with server blacklist:
[359:root:4b]fam_auth_send_req_internal:461 fnbam_auth return: 4
[359:root:4b]Auth successful for group SSLVPN
[359:root:4b]fam_do_cb:654 fnbamd return auth success.
[359:root:4b]SSL VPN login matched rule (1).
…

2) Login to the SSL-VPN portal with the local user 'student', monitor and debug SSL-VPN.

 

 

 

 

# diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
 
# diagnose debug console timestamp enable
 
# diagnose debug enable
…
2020-04-16 10:32:39 [359:root:33]sslvpn_authenticate_user:191 authenticate user: [student]
2020-04-16 10:32:39 [359:root:33]sslvpn_authenticate_user:198 create fam state
2020-04-16 10:32:39 [359:root:33]fam_auth_send_req:583 with server blacklist:
2020-04-16 10:32:39 local auth is done with user 'student', ret=0
2020-04-16 10:32:39 [359:root:33]fam_auth_send_req_internal:461 fnbam_auth return: 0
2020-04-16 10:32:39 [359:root:33]fam_auth_send_req_internal:470 authentication OK
2020-04-16 10:32:39 [359:root:33]fam_do_cb:654 fnbamd return auth success.
2020-04-16 10:32:39 [359:root:33]SSL VPN login matched rule (1).                   <----- The rule refers to the section 'config authentication-rule' in the SSLVPN settings or the GUI order or the portal matching. First rule matching will stop processing.
…

3) Login to the SSL-VPN portal with the local user 'student1', monitor and debug SSL-VPN.

 

 

 

 

 

# diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
 
# diagnose debug enable

[359:root:3c]sslvpn_authenticate_user:191 authenticate user: [student1]
[359:root:3c]sslvpn_authenticate_user:198 create fam state
[359:root:3c]fam_auth_send_req:583 with server blacklist:
[359:root:3c]fam_auth_send_req_internal:461 fnbam_auth return: 0
[359:root:3c]fam_auth_send_req_internal:470 authentication OK
[359:root:3c]fam_do_cb:654 fnbamd return auth success.
[359:root:3c]SSL VPN login matched rule (1).

Note: 
In case the LDAP contains a user called 'student' (same as local user) , then LDAP user will take precedence and local user with an assigned token can be overridden.