Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lgupta
Staff
Staff

Created on ‎12-01-2022 06:34 AM Edited on ‎10-24-2023 11:18 PM By Moderator

Article Id 232020

Troubleshooting Tip: SSL VPN Debugs Error: 'sslvpn_login_unknown_user'

Description

 

This article describes SSL VPN Debugs Error: 'sslvpn_login_unknown_use'.

 

In this scenario, Realm is configured. Output Scenario #2 is also valid for non-Realm configurations.

 

Scope

 

FortiGate.

 

Solution

 

User Scope: - Local.

Username: - test_user.

User Group: - SSLVPN_user_group.

 

SSL VPN configuration: 

 

FortiGate-KVM # config vpn ssl settings

 

FortiGate-KVM (settings) # show

    config vpn ssl settings

        set servercert "Fortinet_Factory"

        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

        set port 4443

        set source-interface "port1"

        set source-address "all"

        set source-address6 "all"

        set default-portal "full-access"

            config authentication-rule

                edit 1

                    set groups "SSLVPN_user_group" <----- User Group.

                    set portal "full-access" <----- Portal name.

                    set realm "VPN-Users"  <----- Realm is mapped.

                next

            end

    end

 

Run the debugs:

 

diag debug disable

diag debug reset

diag debug application sslvpn -1

diag debug enable

 

Output scenario 1: Not Accessing Realm website.

 

[327:root:a5]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0

[327:root:a5]rmt_logincheck_cb_handler:1283 user 'test_user' has a matched local entry. <----- User Matched.

[327:root:a5]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy.< ---- Checking for User Group reference.

[327:root:a5]sslvpn_auth_check_usrgroup:3008 got user (0) group (1:0).

[327:root:a5]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm ()   <----- REALM is empty, which means Realm website not accessed.

[327:root:a5]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.

[327:root:a5]sslvpn_validate_user_group_list:1978 checking rule 1 realm.

[327:root:a5]sslvpn_validate_user_group_list:2864 got user (0:0), group (0:0) peer group (0).

[327:root:a5]sslvpn_update_user_group_list:1792 got user (0:0), group (0:0), peer group (0) after update.

[327:root:a5]no valid user or group candidate found

[327:root:a5]login_failed:391 user[test_user],auth_type=32768 failed [sslvpn_login_unknown_user]<----- User/User Group verification failed.

[327:root:0]dump_one_blocklist:93 status=1;host=192.168.2.128;fails=1;logintime=1668480661

 

User FortiClient Settings:

 

lgupta_0-1669903676234.png

 

 

Solution:

When using Realm for Users/User Groups, make sure to access to the Realms.

 

Correct Remote Gateway: https://192.168.2.110:4443/VPN-Users

 

lgupta_1-1669903676235.png

 

Note :

SSL VPN Realms are 'Case Sensitive'.

 

Output scenario 2: Accessing Realm website.

 

[327:root:b5]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0

[327:root:b5]rmt_logincheck_cb_handler:1283 user 'test_user' has a matched local entry.  <----- User Matched.

[327:root:b5]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy.  <----- Checking for User Group reference.

[327:root:b5]sslvpn_auth_check_usrgroup:3008 got user (0) group (1:0).

[327:root:b5]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm (VPN-Users).  <----- REALM website is accessed.

[327:root:b5]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.

[327:root:b5]sslvpn_validate_user_group_list:1978 checking rule 1 realm.

[327:root:b5]sslvpn_validate_user_group_list:1989 checking rule 1 source intf.

[327:root:b5]sslvpn_validate_user_group_list:2028 checking rule 1 vd source intf.

[327:root:b5]sslvpn_validate_user_group_list:2570 rule 1 done, got user (0:0) group (0:0) peer group (0).

[327:root:b5]sslvpn_validate_user_group_list:2864 got user (0:0), group (0:0) peer group (0).

[327:root:b5]sslvpn_update_user_group_list:1792 got user (0:0), group (0:0), peer group (0) after update.

[327:root:b5]no valid user or group candidate found.

[327:root:b5]login_failed:391 user[test_user],auth_type=32768 failed [sslvpn_login_unknown_user]  <----- User/User Group verification failed.

[327:root:b5]req: /remote/login?realm=VPN-Users&err=sslvpn

 

Solution:

Check for the Firewall Policy and the Source User/User Group.

 

Incorrect:

 

config firewall policy

    edit 1

        set name "ssl_access"

        set uuid 69878bf2-648d-51ed-aaa8-27f70ec92730

        set srcintf "ssl.root"

        set dstintf "port3"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set groups "Guest-group" <----- Incorrect User Group.

    next

end

               

Correct:

 

config firewall policy

    edit 1

        set groups "SSLVPN_user_group" <----- Correct User Group,

    next

end

 

Other Possible reasons:

 

  1. The user account is not configured on the FortiGate, irrespective of the user group mapping.
  2. There could be a TYPO in the username.
  3. Case sensitivity is enabled for the username: Technical Tip: Local user, username case sensitivity and accent sensitivity.
  4. The user may be behind FortiGate and have GEO restrictions.
11649
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.