Technical Tip: Wrong group mapping

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 203862

Description

This article discusses about Wrong group mapping for SSL user.

Scope

FortiOS.

Solution

User is connected to SSL VPN but getting matched to the wrong group.

Example.

Test user belongs to Access VPN group but matches to Access FireWall group:

find_matched_usr_grps-Add matched group 'Access FireWall'(34) <<

find_matched_usr_grps-Add matched group 'Access VPN'(12) <<

Auth successful for user Test in group Access FireWall SA <<

From the debug we can see that the user is matching both the groups but getting mapped to the wrong group.

edit "Access VPN"
set member "LDAP-A"
# config matc
edit 1
set server-name "LDAP-A"
set group-name ""
next
end

next
edit "Access FireWall" <----- No group name.
set member "LDAP-A"
next

Now from the config, we can see that the group name is not mentioned due to which the user will match the Access FireWall group.

So, whenever creating group mention the group name.

1999

Contributors

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: Wrong group mapping

You are leaving our website