|
This article describes how the local user entry or the group configuration in the firewall policy and SSL VPN setting behaves when a user tries to connect.
A firewall admin configures SSLVPN firewall policies for a specific user.
The SSL VPN authentication rule is for the entire LDAP group.
Those users are also part of that LDAP group. However, when the user tries to connect to SSLVPN, it fails.
The configuration looks like below:
User Imported from LDAP.
config user local
edit "prateek"
set type ldap
set ldap-server "My-LDAP"
next
end
User Group.
config user group
edit "Domain Group"
set member "My-LDAP"
config match
edit 1
set server-name "My-LDAP"
set group-name "CN=Domain Users,CN=Users,DC=SISCO,DC=com"
next
end
Firewall Policy: (showing only important parameters).
config firewall policy
edit 1
set name "SSL-to-LAN-Specific-User"
set srcintf "ssl.root"
set dstintf "port2"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set users "prateek"
next
edit 2
set name "All_other"
set srcintf "ssl.root"
set dstintf "port1"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set nat enable
set groups "Domain Group"
next
end
SSL VPN Setting.
config vpn ssl settings
set servercert "self-sign"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set source-interface "port1"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "Domain Group"
set portal "tunnel-access"
next
end
end
Here the default SSL portal is configured as Web-access.
A general understanding would be the user should be able to connect to the VPN with the FortiClient.
However, the debug says differently:
After authentication, the user would be mapped to the default portal.
Debug below:
# [2232:root:2]allocSSLConn:297 sconn 0x7ffa19d99e00 (0:root)
[2232:root:2]SSL state:before SSL initialization (10.5.27.2)
[2232:root:2]SSL state:before SSL initialization (10.5.27.2)
[2232:root:3]rmt_web_access_check:739 access failed, uri=[/remote/logincheck],ret=4103,
[2232:root:3]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[2232:root:3]rmt_logincheck_cb_handler:1285 user 'prateek' has a matched local entry. <----- At this stage firewall found that the user matched local entry as the user has been imported locally.
[2232:root:3]sslvpn_validate_user_group_list:1825 validating with SSL VPN authentication rules (1), realm (). <---- Here the firewall is checking the SSL VPN authentication rule.
[2232:root:3]sslvpn_update_user_group_list:1771 got user (1:0), group (1:0), peer group (0) after update. <---- Firewall checks the firewall policies for SSLVPN and adds the user and group list.
[2232:root:3][fam_auth_send_req_internal:424] Groups sent to FNBAM:
[2232:root:3]group_desc[0].grpname = prateek
[2232:root:3]group_desc[1].grpname = Domain Group <---- Firewall will only check authentication for both.
[1582] __group_match-User 'prateek' passed group matching
[1585] __group_match-Add matched user 'prateek'(16777218)
[1603] __group_match-Group 'Domain Group' passed group matching
[1606] __group_match-Add matched group 'Domain Group'(2)
[2690] fnbamd_ldap_result-Passed group matching
The above 5 lines define that the user and group are authenticated successfully.
[2232:root:3]Auth successful for user prateek
[2232:root:3]fam_do_cb:663 fnbamd return auth success.
[2232:root:3]SSL VPN login matched rule (0). <---- After authentication firewall checks for the SSL VPN setting. As it did not find any rule for the user specifically it matched Rule '0' which is the default rule.
[2232:root:3]got public IP address: X.X.X.X
[2232:root:3]deconstruct_session_id:694 decode session id ok, user=[prateek], group=[],authserver=[My-LDAP],portal=[web-access],host[10.5.27.2],realm=[],csrf_token=[6254EE3AC06AF4B53A89C123D215C7],idx=0,auth=16,sid=38b70ccb,login=1638168992,access=1638168992,saml_logout_url=no,pip=X.X.X.X <--- It is possible to see there is no Group info and the portal is web portal.
|
