|
FortiGate does not honor or perform the group membership lookups when the end-user client tries to connect to SSL VPN using FortiClient.
In this example, the end-user 'test' is a part of the group 'local_vpn_users'.
edit "test"
set type password
set passwd-time 2023-03-12 23:10:49
set passwd FortinetPasswordMask
next
edit "local_vpn_users"
set member “test”
next
The group is mapped with SSL-VPN portal “full-access”
config authentication-rule
edit 1
set groups "local_vpn_users"
set portal "full-access"
next
The proper policy is in place:
set status enable
set name "allow_sslvpn"
set uuid xxx
set srcintf "ssl.root"
set dstintf "internal_port"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set groups "local_vpn_users"
The user authenticated to the correct group. However, the user could not map to the expected SSL-VPN portal. It validated through the default SSL-VPN authentication portal (authentication rule 0).
[3629:root:a]fsv_logincheck_common_handler:1347 user 'test' has a matched local entry.
[3629:root:a]two factor check for test: off
[3629:root:a]sslvpn_authenticate_user:193 authenticate user: [test]
[3629:root:a]sslvpn_authenticate_user:211 create fam state
[3629:root:a]fam_auth_send_req:892 found node test:0:, valid:1
[3629:root:a][fam_auth_send_req_internal:429] Groups sent to FNBAM:
[3629:root:a]group_desc[0].grpname = test
[3629:root:a]group_desc[1].grpname = local_vpn_users
[3629:root:a][fam_auth_send_req_internal:441] FNBAM opt = 0X201420
[3629:root:a]fam_auth_send_req_internal:517 fnbam_auth return: 0
[3629:root:a][fam_auth_send_req_internal:543] Authenticated groups (2) by FNBAM with auth_type (1):
[3629:root:a]Received: auth_rsp_data.grp_list[0] = 16777221
[3629:root:a]Received: auth_rsp_data.grp_list[1] = 14
[3629:root:a]fam_auth_send_req_internal:567 found node local_vpn_users:0:, valid:1, auth:0
[3629:root:a]Validated: auth_rsp_data.grp_list[1] = local_vpn_users
[3629:root:a][fam_auth_send_req_internal:657] The user test is authenticated.
[3629:root:a]fam_do_cb:682 fnbamd return auth success.
[3629:root:a]SSL VPN login matched rule (0).
[3629:root:a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3629:root:0]get tunnel link address4
[3629:root:a]rmt_web_session_create:1029 create web session, idx[1]
[3629:root:a]login_succeeded:553 redirect to hostcheck
[3629:root:a]Transfer-Encoding n/a
[3629:root:a]Content-Length 205
[3629:root:a]rmt_hcinstall_cb_handler:210 enter
[3629:root:a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3629:root:a]rmt_hcinstall_cb_handler:288 hostchk needed : 0.
[3629:root:a]deconstruct_session_id:505 decode session id ok, user=[test], group=[],authserver=[],portal=[download_client],host[10.10.10.3],realm=[],csrf_
token=[CF7044A68C4C7C7BDDD8183144B92D],idx=1,auth=1,sid=2fb54979,login=1723996959,access=1723996959,saml_logout_url=no,pip=no,grp_info=[ISi2FD],rmt_grp_info=[]
[3629:root:a]Transfer-Encoding n/a
[3629:root:a]Content-Length 205
[3629:root:a]req: /remote/fortisslvpn
[3629:root:a]Transfer-Encoding n/a
[3629:root:a]Content-Length n/a
[3627:root:a]Timeout for connection 0x7f309b455800.
This issue occurs as the user somehow gets corrupted.
To resolve the issue, recreate the user and add in the group.
|
