Created on 03-28-2024 06:24 AM Edited on 03-28-2024 06:24 AM By Jean-Philippe_P
Description |
This article describes the case when it is impossible to authenticate an SSL VPN user on the wan2 interface, On wan1, the user can authenticate and connect with the SSL VPN.
Wan1 and wan2 are both selected in the SSL VPN setting. When trying to authenticate the user on wan2, there is an error of permission denied. |
Scope | FortiGate. |
Solution |
Run the SSL VPN debug:
diag debug disable diag debug reset diag debug application sslvpn -1 diag debug application fnbamd -1 diag debug enable
Debug when the user tries to connect to wan1:
2390:root:8a]req: /api/v2/static/fweb_build.json [2390:root:8a]mza: 0x3247150 /api/v2/static/fweb_build.json [2390:root:8a]deconstruct_session_id:716 decode session id ok, user=[Test], group=[Test],authserver=[],portal=[full-access],host[172.25.181.131],realm=[],csrf_token=[2D87EB45220361E77CECE417F4C8A6],idx=0,auth=1,sid=56a2b83a,login=1711630502,access=1711630502,saml_logout_url=no,pip=no,grp_info=[S3Qf2U],rmt_grp_info=[]
Debug when the user tries to connect to wan2:
[2390:root:70]sslvpn_update_user_group_list:1807 got user (0:0), group (0:0), peer group (0) after update. [2390:root:70]no valid user or group candidate found. [2390:root:70]login_failed:403 user[Test],auth_type=32768 failed [sslvpn_login_unknown_user] [2390:root:0]dump_one_blocklist:94 status=1;host=172.25.181.131;fails=1;logintime=1711630120 [2390:root:70]req: /remote/login?&err=sslvpn_login_permissi [2390:root:70]rmt_web_auth_info_parser_common:504 no session id in auth info [2390:root:70]rmt_web_get_access_cache:853 invalid cache, ret=4103 [2390:root:70]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Solution.
Check the authentication rule in CLI.
config authentication-rule edit 1 set source-interface "port1" -> Unset the source interface, authentication is allowed when the user tries to connect only on wan1 if a specific interface in the authentication rule is selected. set source-address "all" set groups "Test" set portal "full-access" next end |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.