Created on 11-25-2022 11:04 PM Edited on 11-15-2024 07:29 AM By Jean-Philippe_P
Description |
This article describes that credentials from FortiGate succeed but the same credential fails in actual SSL VPN log-in.
The credentials for a test user with username 'testvpn' and password 'azbyc' (already configured at the LDAP’s AD) shows authentication succeeded when done from the FortiGate as follows:
FW-1 # dia test authserver ldap MyLdap testvpn azbyc authenticate 'testvpn' against 'MyLdap' succeeded! <--- Group membership(s) - CN=SSLVPNUsers,OU=SSL-VPN,DC=abc,DC=com
When using FortiClient, the error message that pops up is: 'Unable to logon to the server. Your username or password may not be configured properly for this connection'.
When using web mode, then the error is 'Error: Authentication Failure'.
The following debugs can be run to check the SSL-VPN login failure as well:
diagnose debug application sslvpn -1 diagnose debug application fnbamd -1 diagnose debug enable
It is possible to observe the following in the output of the debug:
[314:root:13]sslvpn_authenticate_user:191 authenticate user: [testvpn] [314:root:13]sslvpn_authenticate_user:205 create fam state [314:root:13][fam_auth_send_req_internal:426] Groups sent to FNBAM: [314:root:13][fam_auth_send_req_internal:438] FNBAM opt = 0X300421 invalid auth params for user 'testvpn' <----- [314:root:13]fam_auth_send_req_internal:514 fnbam_auth return: 5 [314:root:13]fam_auth_send_req:1007 task finished with 5 [314:root:13]login_failed:393 user[testvpn],auth_type=1 failed [sslvpn_login_unknown_user] <-----
It is seen from the debugs that no authentication is however done with respect to the group configured in FortiGate for the LDAP users, i.e., SSLVPNUsers.
In this case, the test user 'testvpn' is present in the user group 'SSLVPNUsers' that contains the LDAP server (remote group) added as well.
|
Scope | FortiGate. |
Solution |
To resolve this, ensure that the configured group is present in the 'Authentication/Portal Mapping' section of the SSL VPN settings:
Next, ensure that this user group is added to the corresponding firewall policy as well.
Finally, confirm that while trying to log in to the VPN, the username is typed in properly since it is 'case-sensitive'.
Related article:
After this, the user can successfully authenticate with the same credentials via FortiClient as well as web-mode.
Hence, to authenticate over SSL VPN successfully it could be necessary to have:
Related articles: SSL VPN with LDAP user authentication Technical Tip: Authenticate remote and local users with a single group |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.