FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mmasakayan
Staff
Staff
Article Id 245853
Description This article describes the problem of authentication/connection failure via SSL VPN remote authentication even with the Radius server, attributes, policies, and group matching properly configured on FortiGate and FortiAuthenticator.
Scope FortiGate and FortiAuthenticator.
Solution

In the Lab environment, the user group 'SSLVPN_Group2' on FortiGate is configured to match group-name which is the same on Fortiauthenticator.

 

Branch_Internet_Webs~ver # sh user group | grep -A8 'SSLVPN_Group2'

    edit "SSLVPN_Group2"

        set member "FortiAuth"

        config match

            edit 1

                set server-name "FortiAuth"

                set group-name "SSL-VPN-Group2"

            next

        end

    next

 

mmasakayan_0-1676441982590.png



SSLVPN Authentication/Portal Mapping

User Group: SSL-VPN-Group

Realm: /SecurityGroup

Portal: full-access

 

mmasakayan_1-1676442021265.png

 

On FortiAuthenticator, the User Group is configured with a Vendor-Specific Attribute value of ‘SSL-VPN-Group2’ to match the group name configured in the FortiGate .

 

user account:  testuser2

 

mmasakayan_2-1676442042222.png

 

The policy is also configured properly in the FortiGate to allow SSLVPN_Group2 users to authenticate, however, VPN authentication still fails. 

 

mmasakayan_3-1676442067211.png

 

mmasakayan_4-1676442078161.png

 

Debug shows that Access-Request(code1) to server ‘FortiAuth’ for user=testuser2 was delivered and Radius responds with Access-Accept(code2), however, even if the Radius result is 0(Success), the login still fails as seen on debug error ‘find_matched_usr_grps-Failed group matching'.


# diag debug application fnbamd -1
# diag debug enable

 

mmasakayan_5-1676442117425.png

 

Failed group matching occurred even with Firewall Policy configured since the Radius Attribute was not validated and extracted successfully. This can happen if the Filter is not enabled and set for the correct group under Authentication -> RADIUS Service -> Policies.

Once the correct user group is set for the Radius Policy, successful authentication will be visible.

 

mmasakayan_6-1676442218866.png
mmasakayan_7-1676442227887.png

Based on the debug, the Radius server is able to extract the correct VSA group-name this time.

 

[320] extract_success_vsas-FORTINET attr, type 1, val SSL-VPN-Group2

 

mmasakayan_10-1676442593782.png

mmasakayan_9-1676442259836.png

 

Related documents:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Radius-authentication-troubleshooting/ta-p...

Technical Tip: Fortinet's RADIUS Dictionary and VS... - Fortinet Community

 

Contributors