Solution |
When FortiOS receives a system login request, it first looks for a system admin account whose name exactly matches the requested name. If it cannot find an exact match, FortiOS will look for a wildcard system admin account.
In this scenario, there are three different admin groups on a remote LDAP server, and those users need to access the FortiGate as Administrators.
FortiGate configuration:
- Create remote + wildcard Administrators for each remote group.
Troubleshooting and Debugging:
- From CLI enable the following debugs:
diagnose debug application fnbamd -1
diagnose debug application httpsd -1
diagnose debug enable
User 'admin3' is part of remote group 'admingroup3' which matches with remote+wildcard admin 'ADMINISTRATOR_3'.
Authentication request received:
FGT (root) # [httpsd 2546 - 1734257679 info] fweb_debug_init[531] -- New POST request for "/logincheck" from "10.11.31.254:54607" [httpsd 2546 - 1734257679 info] fweb_debug_init[533] -- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" [httpsd 2546 - 1734257679 info] fweb_debug_init[535] -- Handler "logincheck-handler" assigned to request [httpsd 2546 - 1734257679 info] logincheck_handler[427] -- entering vdom for login_attempt (vdom='root') [1757] handle_req-Rcvd auth req 10935167152129 for admin3 in opt=00014001 prot=9 svc=6 [333] __compose_group_list_from_req-Group 'admin group 3', type 1 [508] create_auth_session-Session created for req id 10935167152129 [590] fnbamd_cfg_get_tac_plus_list- [425] __fnbamd_cfg_get_tac_plus_list_by_admin- [606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0 [840] fnbamd_cfg_get_ldap_list- [613] __fnbamd_cfg_get_ldap_list_by_admin- [348] fnbamd_ldap_get-vfid=0, name='LDAP' [551] __ldap_auth_ctx_insert-Loaded LDAP server 'LDAP' [601] __add_admin_ldap_svr-Loaded LDAP server 'LDAP' for admin user 'ADMINISTRATOR_3' [348] fnbamd_ldap_get-vfid=0, name='LDAP'
Authentication passed matching the correct group:
[982] __ldap_next_state-Auth accepted [1146] __ldap_auth_ctx_reset- [996] __ldap_next_state-State: Recursive Group Member Query -> Done [1982] ldap_copy_grp_list-copied CN=admingroup3,CN=Users,DC=testlab,DC=com [1982] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=testlab,DC=com [1982] ldap_copy_grp_list-copied CN=Users,CN=Builtin,DC=testlab,DC=com [627] fnbam_user_auth_group_match-req id: 10939462148097, server: LDAP, local auth: 0, dn match: 1 [206] find_matched_usr_grps-Passed group matching [2553] fnbamd_ldap_result-Result for ldap svr LDAP is SUCCESS
Result:
[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 10939462148097, len=2720 [httpsd 2547 - 1734257687 info] logincheck_handler[530] -- login attempt OK, VDOM updated to 'root' [httpsd 2547 - 1734257687 info] logincheck_handler[536] -- login_attempt (method=6, vdom='root', name='admin3',admin_name='ADMINISTRATOR_3', auth_svr='LDAP')
- Example of user 'admin1' successful login. Remote group 'admingroup1' which matches with remote+wildcard admin 'ADMINISTRATOR_1':
[982] __ldap_next_state-Auth accepted [1146] __ldap_auth_ctx_reset- [996] __ldap_next_state-State: Recursive Group Member Query -> Done [1982] ldap_copy_grp_list-copied CN=admingroup1,CN=Users,DC=testlab,DC=com [1982] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=testlab,DC=com [1982] ldap_copy_grp_list-copied CN=Users,CN=Builtin,DC=testlab,DC=com [627] fnbam_user_auth_group_match-req id: 11012479393793, server: LDAP, local auth: 0, dn match: 1 [206] find_matched_usr_grps-Passed group matching [2553] fnbamd_ldap_result-Result for ldap svr LDAP is SUCCESS [627] fnbam_user_auth_group_match-req id: 11012479393793, server: LDAP, local auth: 0, dn match: 1 [2561] fnbamd_ldap_result-Passed group matching [909] update_auth_token_session-config does not require 2fa
[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 11012479393793, len=2720 [httpsd 2564 - 1734258371 info] logincheck_handler[530] -- login attempt OK, VDOM updated to 'root' [httpsd 2564 - 1734258371 info] logincheck_handler[536] -- login_attempt (method=6, vdom='root', name='admin1',admin_name='ADMINISTRATOR_1', auth_svr='LDAP')
Tips and Considerations:
There might be some cases when the user does not match the correct Administrator in FortiGate.
- Administrators are evaluated in a down approach.
- The alphabetical order of Administrator names plays a role in how they are matched.
- Check the group membership of the user, if he is part of more than one 'remote+wildcard' admin then it will match always the first one it finds in the list. In this case, remove a user from the remote group or create an individual admin account (not wildcard).
- If possible, avoid creating multiple wildcard system admins and create only one admin account as a 'catch-all' after it does not match any individual account.
- Add or Remove users from the remote group in the LDAP server and create only one admin account with wildcard option enabled.
Note:
If still facing issues with the FortiGate login raise a support ticket and provide the following:
- FortiGate configuration.
- Enable the debugs mentioned above.
- Reproduce the issue.
- Get output from command: diagnose debug crash log read
- Upload all the above in the ticket.
|