FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lgupta
Staff
Staff
Description

 

This article describes SSL VPN Debugs Error: 'sslvpn_login_unknown_use'.

 

In this scenario, Realm is configured. Output Scenario #2 is also valid for non-Realm configurations.

 

Scope

 

FortiGate.

 

Solution

 

User Scope: - Local

Username: - test_user

User Group: - SSLVPN_user_group

 

SSL VPN configuration: 

 

FortiGate-KVM # config vpn ssl settings

 

FortiGate-KVM (settings) # show

config vpn ssl settings

    set servercert "Fortinet_Factory"

    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

    set port 4443

    set source-interface "port1"

    set source-address "all"

    set source-address6 "all"

    set default-portal "full-access"

    config authentication-rule

        edit 1

            set groups "SSLVPN_user_group" <----- User Group.

            set portal "full-access" <----- Portal name.

            set realm "VPN-Users"  <----- Realm is mapped.

        next

    end

end

 

Run the debugs:

 

# diag debug disable

# diag debug reset

# diag debug application sslvpn -1

# diag debug enable

 

Output scenario 1: Not Accessing Realm website.

 

[327:root:a5]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0

[327:root:a5]rmt_logincheck_cb_handler:1283 user 'test_user' has a matched local entry. <----- User Matched.

[327:root:a5]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy.   < ---- Checking for User Group reference

[327:root:a5]sslvpn_auth_check_usrgroup:3008 got user (0) group (1:0).

[327:root:a5]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm ()   <----- REALM is empty, which means Realm website not accessed.

[327:root:a5]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.

[327:root:a5]sslvpn_validate_user_group_list:1978 checking rule 1 realm.

[327:root:a5]sslvpn_validate_user_group_list:2864 got user (0:0), group (0:0) peer group (0).

[327:root:a5]sslvpn_update_user_group_list:1792 got user (0:0), group (0:0), peer group (0) after update.

[327:root:a5]no valid user or group candidate found

[327:root:a5]login_failed:391 user[test_user],auth_type=32768 failed [sslvpn_login_unknown_user]<----- User/User Group verification failed.

[327:root:0]dump_one_blocklist:93 status=1;host=192.168.2.128;fails=1;logintime=1668480661

 

User FortiClient Settings:

 

lgupta_0-1669903676234.png

 

 

Solution:

When using Realm for Users/User Groups, make sure to access to the Realms.

 

Correct Remote Gateway: https://192.168.2.110:4443/VPN-Users

 

lgupta_1-1669903676235.png

 

Note :

SSL VPN Realms are 'Case Sensitive'.

 

 

Output scenario 2: Accessing Realm website.

 

[327:root:b5]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0

[327:root:b5]rmt_logincheck_cb_handler:1283 user 'test_user' has a matched local entry.  <----- User Matched.

[327:root:b5]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy.  <----- Checking for User Group reference.

[327:root:b5]sslvpn_auth_check_usrgroup:3008 got user (0) group (1:0).

[327:root:b5]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm (VPN-Users).  <----- REALM website is accessed

[327:root:b5]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.

[327:root:b5]sslvpn_validate_user_group_list:1978 checking rule 1 realm.

[327:root:b5]sslvpn_validate_user_group_list:1989 checking rule 1 source intf.

[327:root:b5]sslvpn_validate_user_group_list:2028 checking rule 1 vd source intf.

[327:root:b5]sslvpn_validate_user_group_list:2570 rule 1 done, got user (0:0) group (0:0) peer group (0).

[327:root:b5]sslvpn_validate_user_group_list:2864 got user (0:0), group (0:0) peer group (0).

[327:root:b5]sslvpn_update_user_group_list:1792 got user (0:0), group (0:0), peer group (0) after update.

[327:root:b5]no valid user or group candidate found.

[327:root:b5]login_failed:391 user[test_user],auth_type=32768 failed [sslvpn_login_unknown_user]  <----- User/User Group verification failed.

[327:root:b5]req: /remote/login?realm=VPN-Users&err=sslvpn

 

Solution:

 

Check for the Firewall Policy and the Source User/User Group.

 

Incorrect:

 

# config firewall policy

    edit 1

        set name "ssl_access"

        set uuid 69878bf2-648d-51ed-aaa8-27f70ec92730

        set srcintf "ssl.root"

        set dstintf "port3"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set groups "Guest-group" <----- Incorrect User Group.

    next

end

               

Correct:

 

# config firewall policy

    edit 1

        set groups "SSLVPN_user_group" <----- Correct User Group,

    next

end

 

Other Possible reasons:

 

1) The user account is not configured on the FortiGate, irrespective of the user group mapping.

2) There could be a TYPO in the username.

3) Case sensitivity is enabled for the username:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-user-username-case-sensitivity-and-a...

Contributors