When the setting set ip-mode user-group (available only through the CLI) is enabled under the SSL VPN portal configuration, SSL VPN users connecting to a FortiGate device can be assigned an IP address directly by the RADIUS server using the Framed-IP-Address attribute, rather than assigning an address from a local IP pool (set ip-mode range) or from an external DHCP server (set ip-mode dhcp).

However, if the framed IP assignment fails (for example, the RADIUS server has not configured this attribute correctly), then FortiClient may display a 'Permission denied (-455)' error despite the correct credentials being used and the VPN connection will not be established successfully. This issue can be diagnosed by reviewing the debug output on the FortiGate, as shown below.

Debug Commands:

diagnose debug application sslvpn -1

diagnose debug enable

Output:

[176:root:f92]Validated: auth_rsp_data.grp_list[0] = VPN_Users_Group

[176:root:f92]Auth successful for user test.user in group VPN_Users_Group

[176:root:f92]SSL VPN interface [tunnel-mode] requires radius to provide a tunnel IP.

[176:root:f92]login_failed:405 user[test.user],auth_type=2 failed [sslvpn_login_permission_denied]

In this example, the RADIUS server fails to return the required attribute for assigning a tunnel IP address to the SSL VPN user. The set ip-mode user-group configuration is only visible and configurable through the CLI.

FortiGate # config vpn ssl web portal

FortiGate (portal) # edit tunnel-mode

FortiGate (tunnel-mode) # set ip-mode ?

range        Use the IP addresses available for all SSL-VPN users as defined by the SSL settings command.
user-group   Use the IP addresses associated with individual users or user groups (usually from external auth servers).
dhcp         Use IP addresses obtained from external DHCP server.
no-ip        Do not assign IP address.

FortiGate (tunnel-mode) # show

config vpn ssl web portal

    edit "tunnel-mode"

        set tunnel-mode enable

        set ipv6-tunnel-mode enable

        set ip-mode user-group

        set ip-pools "SSLVPN_TUNNEL_ADDR1"

        set split-tunneling disable

        set dns-server1 1.1.1.1

        set dns-server2 8.8.8.8
        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

    next

end

To avoid running into this issue, ensure that the RADIUS attributes are configured correctly on the RADIUS server side. The following KB articles discuss the process for a few different RADIUS servers:

• Technical Tip: Framed-IP to SSL VPN users using Radius Server (Microsoft)
• Technical Tip: Framed IP address for SSL VPN users (FortiAuthenticator)

Below is a sample log from a working scenario when the RADIUS server provides an IP address to the SSL VPN user via  the Framed-IP-Address attribute:

[242:root:2b]Validated: auth_rsp_data.grp_list[0] = VPN_Users_Group

[242:root:2b]Auth successful for user test.user in group VPN_Users_Group

[242:root:2b]user test.user got framed IP 10.212.134.201

Alternatively, configure the FortiGate to assign tunnel IP addresses by setting the SSL VPN portal's ip-mode to range(default mode), which uses the IP pool defined IP range in the portal settings locally on FortiGate.

config vpn ssl web portal

    edit "tunnel-mode"

        set ip-mode range

        set ip-pools "SSLVPN_TUNNEL_ADDR1"

    next

end