Description
This article describes SSL VPN Debugs Error: 'sslvpn_login_unknown_use'.
In this scenario, Realm is configured. Output Scenario #2 is also valid for non-Realm configurations.
Scope
FortiGate.
Solution
User Scope: - Local
Username: - test_user
User Group: - SSLVPN_user_group
SSL VPN configuration:
FortiGate-KVM # config vpn ssl settings
FortiGate-KVM (settings) # show
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 4443
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 1
set groups "SSLVPN_user_group" <----- User Group.
set portal "full-access" <----- Portal name.
set realm "VPN-Users" <----- Realm is mapped.
next
end
end
Run the debugs:
# diag debug disable
# diag debug reset
# diag debug application sslvpn -1
# diag debug enable
Output scenario 1: Not Accessing Realm website.
[327:root:a5]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
[327:root:a5]rmt_logincheck_cb_handler:1283 user 'test_user' has a matched local entry. <----- User Matched.
[327:root:a5]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy. < ---- Checking for User Group reference
[327:root:a5]sslvpn_auth_check_usrgroup:3008 got user (0) group (1:0).
[327:root:a5]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm () <----- REALM is empty, which means Realm website not accessed.
[327:root:a5]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.
[327:root:a5]sslvpn_validate_user_group_list:1978 checking rule 1 realm.
[327:root:a5]sslvpn_validate_user_group_list:2864 got user (0:0), group (0:0) peer group (0).
[327:root:a5]sslvpn_update_user_group_list:1792 got user (0:0), group (0:0), peer group (0) after update.
[327:root:a5]no valid user or group candidate found
[327:root:a5]login_failed:391 user[test_user],auth_type=32768 failed [sslvpn_login_unknown_user]<----- User/User Group verification failed.
[327:root:0]dump_one_blocklist:93 status=1;host=192.168.2.128;fails=1;logintime=1668480661
User FortiClient Settings:
Solution:
When using Realm for Users/User Groups, make sure to access to the Realms.
Correct Remote Gateway: https://192.168.2.110:4443/VPN-Users
Note :
SSL VPN Realms are 'Case Sensitive'.
Output scenario 2: Accessing Realm website.
[327:root:b5]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
[327:root:b5]rmt_logincheck_cb_handler:1283 user 'test_user' has a matched local entry. <----- User Matched.
[327:root:b5]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy. <----- Checking for User Group reference.
[327:root:b5]sslvpn_auth_check_usrgroup:3008 got user (0) group (1:0).
[327:root:b5]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm (VPN-Users). <----- REALM website is accessed
[327:root:b5]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.
[327:root:b5]sslvpn_validate_user_group_list:1978 checking rule 1 realm.
[327:root:b5]sslvpn_validate_user_group_list:1989 checking rule 1 source intf.
[327:root:b5]sslvpn_validate_user_group_list:2028 checking rule 1 vd source intf.
[327:root:b5]sslvpn_validate_user_group_list:2570 rule 1 done, got user (0:0) group (0:0) peer group (0).
[327:root:b5]sslvpn_validate_user_group_list:2864 got user (0:0), group (0:0) peer group (0).
[327:root:b5]sslvpn_update_user_group_list:1792 got user (0:0), group (0:0), peer group (0) after update.
[327:root:b5]no valid user or group candidate found.
[327:root:b5]login_failed:391 user[test_user],auth_type=32768 failed [sslvpn_login_unknown_user] <----- User/User Group verification failed.
[327:root:b5]req: /remote/login?realm=VPN-Users&err=sslvpn
Solution:
Check for the Firewall Policy and the Source User/User Group.
Incorrect:
# config firewall policy
edit 1
set name "ssl_access"
set uuid 69878bf2-648d-51ed-aaa8-27f70ec92730
set srcintf "ssl.root"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set groups "Guest-group" <----- Incorrect User Group.
next
end
Correct:
# config firewall policy
edit 1
set groups "SSLVPN_user_group" <----- Correct User Group,
next
end
Other Possible reasons:
1) The user account is not configured on the FortiGate, irrespective of the user group mapping.
2) There could be a TYPO in the username.
3) Case sensitivity is enabled for the username:
