| Description | This article describes the problem of authentication/connection failure via SSL VPN remote authentication even with the Radius server, attributes, policies, and group matching properly configured on FortiGate and FortiAuthenticator. |
| Scope | FortiGate and FortiAuthenticator. |
| Solution |
In the Lab environment, the user group 'SSLVPN_Group2' on FortiGate is configured to match group-name which is the same on Fortiauthenticator.
Branch_Internet_Webs~ver # sh user group | grep -A8 'SSLVPN_Group2' edit "SSLVPN_Group2" set member "FortiAuth" config match edit 1 set server-name "FortiAuth" set group-name "SSL-VPN-Group2" next end next
User Group: SSL-VPN-Group Realm: /SecurityGroup Portal: full-access
On FortiAuthenticator, the User Group is configured with a Vendor-Specific Attribute value of ‘SSL-VPN-Group2’ to match the group name configured in the FortiGate .
user account: testuser2
The policy is also configured properly in the FortiGate to allow SSLVPN_Group2 users to authenticate, however, VPN authentication still fails.
Debug shows that Access-Request(code1) to server ‘FortiAuth’ for user=testuser2 was delivered and Radius responds with Access-Accept(code2), however, even if the Radius result is 0(Success), the login still fails as seen on debug error ‘find_matched_usr_grps-Failed group matching'.
Failed group matching occurred even with the Firewall Policy configured, since the Radius Attribute was not validated and extracted successfully. This can happen if the Filter is not enabled and set for the correct group under Authentication -> RADIUS Service -> Policies.
  Based on the debug, the Radius server can extract the correct VSA group-name this time.
[320] extract_success_vsas-FORTINET attr, type 1, val SSL-VPN-Group2
Related articles: Troubleshooting Tip: RADIUS authentication troubleshootingTechnical Tip: Fortinet's RADIUS Dictionary and VS... - Fortinet Community Technical Tip: RADIUS authentication with FortiAuthenticator |
