Description

 

This article describes potential causes for the 'sslvpn_login_unknown_user' error seen in the SSL VPN process (sslvpnd) debug output. In these scenarios, assume that SSL VPN Realms are configured, though Scenario #2 is also valid for non-Realm configurations.

 

Scope

 

FortiGate.

 

Solution

 

User Scope: Local.

Username: test_user.

User Group: SSLVPN_user_group.

 

SSL VPN configuration: 

 

FortiGate-KVM # show vpn ssl settings

config vpn ssl settings

    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 4443
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "full-access"
        config authentication-rule

            edit 1

                set groups "SSLVPN_user_group" <----- User Group.
                set portal "full-access" <----- Portal name.
                set realm "VPN-Users"  <----- Realm is mapped.

            next

        end

end

 

Run the debugs:

 

diagnose debug disable

diagnose debug reset

diagnose debug application sslvpn -1

diagnose debug enable

 

Note:

To stop the debug, run the following commands:  

 

diagnose debug disable

diagnose debug reset

 

Output scenario 1: Accessing the SSL VPN without specifying a Realm:

 

[327:root:a5]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0

[327:root:a5]rmt_logincheck_cb_handler:1283 user 'test_user' has a matched local entry. <----- User Matched.

[327:root:a5]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy.< ---- Checking for User Group reference.

[327:root:a5]sslvpn_auth_check_usrgroup:3008 got user (0) group (1:0).

[327:root:a5]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm ()   <----- 'realm' is empty, which means that the Realm was not specified/accessed.

[327:root:a5]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.

[327:root:a5]sslvpn_validate_user_group_list:1978 checking rule 1 realm.

[327:root:a5]sslvpn_validate_user_group_list:2864 got user (0:0), group (0:0) peer group (0).

[327:root:a5]sslvpn_update_user_group_list:1792 got user (0:0), group (0:0), peer group (0) after update.

[327:root:a5]no valid user or group candidate found

[327:root:a5]login_failed:391 user[test_user],auth_type=32768 failed [sslvpn_login_unknown_user]<----- User/User Group verification failed.

[327:root:0]dump_one_blocklist:93 status=1;host=192.168.2.128;fails=1;logintime=1668480661

 

User FortiClient Settings:

 

 

 

Solution:

When using Realm for Users/User Groups, make sure that the client software (either FortiClient's Remote Gateway field or a web browser's URL) includes the correct Realm.

 

Correct Remote Gateway: https://192.168.2.110:4443/VPN-Users

 

 

Note:

SSL VPN Realms are case-sensitive (e.g., 'VPN-Users' vs. 'vpn-users'). If the incorrect case is used, then the Realm will not be matched, and connections/authentication will instead match the default Realm.

 

Output scenario 2: Accessing the SSL VPN using the correct Realm:

 

[327:root:b5]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0

[327:root:b5]rmt_logincheck_cb_handler:1283 user 'test_user' has a matched local entry.  <----- User Matched.

[327:root:b5]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy.  <----- Checking for User Group reference.

[327:root:b5]sslvpn_auth_check_usrgroup:3008 got user (0) group (1:0).

[327:root:b5]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm (VPN-Users).  <----- REALM website is accessed.

[327:root:b5]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.

[327:root:b5]sslvpn_validate_user_group_list:1978 checking rule 1 realm.

[327:root:b5]sslvpn_validate_user_group_list:1989 checking rule 1 source intf.

[327:root:b5]sslvpn_validate_user_group_list:2028 checking rule 1 vd source intf.

[327:root:b5]sslvpn_validate_user_group_list:2570 rule 1 done, got user (0:0) group (0:0) peer group (0).

[327:root:b5]sslvpn_validate_user_group_list:2864 got user (0:0), group (0:0) peer group (0).

[327:root:b5]sslvpn_update_user_group_list:1792 got user (0:0), group (0:0), peer group (0) after update.

[327:root:b5]no valid user or group candidate found.

[327:root:b5]login_failed:391 user[test_user],auth_type=32768 failed [sslvpn_login_unknown_user]  <----- However, User/User Group verification had failed.

[327:root:b5]req: /remote/login?realm=VPN-Users&err=sslvpn

 

Solution:

Check the Firewall Policies related to the SSL VPN and confirm that the desired User/User Group has been included.

 

Incorrect:

 

config firewall policy

    edit 1

        set name "ssl_access"
        set srcintf "ssl.root"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set groups "Guest-group" <----- User Group list is missing 'SSLVPN_user_group'.

    next

end

               

Correct:

 

config firewall policy

    edit 1

        set groups "SSLVPN_user_group" <----- Correct user group.

    next

end

 

Output Scenario 3: LDAP user logging in to FortiClient:

 

[296:InternetFW:1e0]sslvpn_authenticate_user:203 authenticate user: [fortinet]
[296:InternetFW:1e0]sslvpn_authenticate_user:221 create fam state
[296:InternetFW:1e0][fam_auth_send_req_internal:432] Groups sent to FNBAM:
[296:InternetFW:1e0]group_desc[0].grpname = SSLVPN-LDAP-Group
[296:InternetFW:1e0][fam_auth_send_req_internal:444] FNBAM opt = 0X200421
[296:InternetFW:1e0]fam_auth_send_req_internal:513 fnbam_auth return: 4
[296:InternetFW:1e0]fam_auth_send_req:1011 task finished with 4
[296:InternetFW:1e0]fam_auth_proc_resp:1365 fnbam_auth_update_result return: 5 ((null))
[296:InternetFW:1e0][fam_auth_proc_resp:1371] An error happened updating the FNBAM response.
[296:InternetFW:1e0][fam_auth_proc_resp:1505] Authenticated groups (3) by FNBAM with auth_type (1):
[296:InternetFW:1e0]Received: auth_rsp_data.grp_list[0] = 0
[296:InternetFW:1e0]Received: auth_rsp_data.grp_list[1] = 0
[296:InternetFW:1e0]Received: auth_rsp_data.grp_list[2] = 13652720
[296:InternetFW:1e0]login_failed:480 user[fortinet],auth_type=1 failed [sslvpn_login_unknown_user]

 

Solution:

This can be observed when the FortiGate is upgraded to v7.4.4 or later, as there has been a change in behavior with regard to LDAPS requirements. If LDAPS/STARTTLS is configured, it is now mandatory to have the CA certificate of the LDAPS server imported onto the FortiGate and used in the configuration; otherwise, LDAPS authentication will no longer work.

Additionally, if 'Server identity check' is enabled, then the 'Server IP/Name' field must be set to an FQDN/IP that is included in the certificate's Common Name (CN) or Subject Alternative Name (SAN) fields. To import the CA certificate from the LDAP server, refer to Technical Tip: Configuring LDAP over SSL (LDAPS).

 

 

If the CA certificate cannot be imported immediately, then LDAPS can be disabled as a workaround (assuming the LDAP server still supports plaintext LDAP). This can be done by disabling 'Secure Connection' from the GUI or CLI, as per the following steps:

 

From the GUI:

Navigate to User & Authentication -> LDAP Servers, select the LDAP server entry, then toggle off Secure Connection.

 

From the CLI:

 

config user ldap

    edit "fortinetLDAP"

        set secure disable

    next

end

 

Other possible causes for 'sslvpn_login_unknown_user':

1. The user account is not configured on the FortiGate, irrespective of the user group mapping.
2. The entered username has a typo, or case-sensitivity is enabled for the username (see also: Technical Tip: Local user, username case sensitivity and accent sensitivity).
3. The SSL VPN may have Geo-IP restrictions that require the user to connect from an allowed IP (this can also impact users who are connecting from behind the FortiGate using a private IP).
4. Secure LDAP is used and failed to establish an SSL connection with the error '[1101] __ldap_connect-tcps_connect(x.x.x.x) failed: ssl_connect() failed: 167772498'. There are multiple possible reasons for this error, and further troubleshooting may be required. A workaround can be implemented by temporarily using LDAP instead of LDAPS.
5. There may be an authentication timeout on the RADIUS server when using Duo or other multi-factor authentication (MFA) solutions. To resolve this, increase the remote authentication timeout on the FortiGate:

 

config system global

    set remoteauthtimeout 20

end

 

6. The error message may also occur in case the ciphersuite under 'config vpn ssl settings' has a lower strength than the ciphersuite in the authentication rule, which by default is 168 bits.

For example:

config vpn ssl settings
...
    set ciphersuite TLS-AES-128-GCM-SHA256
...
end

 

7. In this case, the solution is to increase the strength of the ciphersuite to a higher value (>= 168 bits), or unset the ciphersuite to the default value.

The authentication rule has a source-interface configured that is different than the incoming traffic interface. This overrides the source-interface under config vpn ssl settings and will return sslvpn_login_unknown_user.

 

8. Using a different LDAP username format than the one configured on FortiGate. Refer to this KB article for more details: Technical Tip: Username format for LDAP authentication.

    

 

Related articles:

Technical Tip: SSL VPN with LDAP user authentication - Credential check passes in FortiGate but fail...

Technical Tip: Configuring LDAP over SSL (LDAPS)

Technical Tip: LDAPS connections no longer work after update to v7.4.4

Technical Tip: LDAPS/STARTTLS certificate issuer enforcement