| Description | This article describes how we to match the SSL-VPN user to all the group once it is authenticated on SSL-VPN. |
| Scope | FortiGate |
| Solution |
- 'sslvpntest1' has been used as a sample SSL-VPN user.
- The 'sslvpntest1' is a member of 'sslvpngrp1', 'sslvpngrp2', 'sslvpngrp3', 'sslvpngrp4' and 'sslvpngrp5'.
- Make sure that to have configured IPV4 POLICY for all those group that the 'sslvpntest1' is part of.
- Once the 'sslvpntest1' authenticates on SSL-VPN, all the groups that the 'sslvpntest1' is part of under FIREWALL USER MONITOR are visible.
- And in CLI by running this command # get vpn ssl monitor.
- For debugging, run this command.
# diag debug app fnbamd -1 # diag debug en
- Then here is a sample log that would show how the FortiGate matches the 'sslvpntest1' to all the group that it is part of after it authenticates on SSL-VPN.
[624:root:18]add user sslvpntest1 in group sslvpngrp5 [624:root:18]Will add auth policy for policy 7 for user sslvpntest1:sslvpngrp1 [624:root:18]add user sslvpntest1 in group sslvpngrp4 [624:root:18]Will add auth policy for policy 6 for user sslvpntest1:sslvpngrp1 [624:root:18]add user sslvpntest1 in group sslvpngrp3 [624:root:18]Will add auth policy for policy 5 for user sslvpntest1:sslvpngrp1 [624:root:18]add user sslvpntest1 in group sslvpngrp2 [624:root:18]Will add auth policy for policy 4 for user sslvpntest1:sslvpngrp1 [624:root:18]add user sslvpntest1 in group sslvpngrp1 [624:root:18]Will add auth policy for policy 3 for user sslvpntest1:sslvpngrp1 [624:root:18]Add auth logon for user sslvpntest1:sslvpngrp1, matched group number 6 [624:root:18]fsv_associate_fd_to_ipaddr:1910 associate 10.212.134.200 to tun (ssl.root:37) [624:root:18]proxy arp: scanning 6 interfaces for IP 10.212.134.200 [624:root:18]Cannot determine ethernet address for proxy ARP [624:root:17]sslvpn_read_request_common,679, ret=-1 error=-1, sconn=0x7feb1b378900. [624:root:17]Destroy sconn 0x7feb1b378900, connSize=1. (root) |
