Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kmohan
Staff
Staff

Created on ‎11-12-2024 11:25 PM Edited on ‎12-23-2024 03:30 PM By Staff

Article Id 356344

Technical Tip: SSL VPN Connection with the Permission Denied -455 on the 2FA ( Mobile Free TrialToken) and LDAP Server User group

Description

 

The article describes how to resolve the Permission Denied issue from the Forticlient ( SSL VPN ) with 2FA.

 

Scope

 

FortiGate.

 

Solution

 

  1. Config the local user or LDAP user added on the SSL VPN portal and enable 2FA for mobile free trial tokens.

 3.png

 

Token1-sslvpn.png

 

  1. Once the user is added to the user definition, FortiGate generates the QR code scan on the mentioned Email Address, and FortiToken status will be 'Pending', and until the token is activated, it will be pending status.

 

2.png

 

  1. Install FortiToken from the mobile application and activate it with a QR Scan code: Technical Tip: How to assign FortiToken Mobile to users on FortiGate and FortiAuthenticator
  2. Try to log in to the SSL-VPN with LDAP and local username/password. It will generate the token and enter it. If a VPN connection occurs, the error  'Permission Denied -455'.

 

Follow the below steps:

  • Checked the FortiToken status, still under pending status.
  • Remove the FortiToken from the user definition,  delete the trial tokens, and re-import.

* Follow the steps 2 & 3 instructions, and try to login with username/Password.

* The token will be generated on the mobile application; enter the code, and it will work fine.

If the issue occurs, check on the LDAP Server:

* Check if the LDAP server connection to Fortigate is still up.

* Check the LDAP configuration and verify the user credentials are changed from the LDAP server; if they got changed, try with a new password.

* Verify that 'User' was added to the LDAP Group or not.

* Try to create another user entry under the same LDAP group to confirm if it is user specific issue.

 

Sometimes the trial license will get invalid, so remove the user from the FortiToken, delete it, and re-import; it will work fine.

 

Permission denied with LDAP User group:

The LDAP user group is often used for user authentication and it is a popular method. Sometimes due to configuration from the LDAP side when the email address is entered as a username for example administrator@testcom the FortiClient returns an error message of -455 Permission Denied.

This is because the username is not found in the LDAP group, and the FMBAND debug at the Firewall will return a similar log

 

2023-11-30 09:48:19 [7990:root:16][fam_auth_proc_resp:1459] Authenticated groups (1) by FNBAM with auth_type (16):
2023-11-30 09:48:19 [7990:root:16]Received: auth_rsp_data.grp_list[0] = 162510840
2023-11-30 09:48:19 [7990:root:16]login_failed:452 user[administrator@testcom],auth_type=16 failed [sslvpn_login_permission_denied]
2023-11-30 09:48:19 [7990:root:16]Transfer-Encoding n/a

 

From the FortiGate side, there are two probabilities for this error message, the first one is due to the use of the email address instead of the username like 'administrator' instead of 'administrator@testcom'.

 

Related article:

Troubleshooting Tip: FortiGate LDAP troubleshooting and debug logs created by fnbamd

 

16612
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.