Troubleshooting Tip: User and Group behaviour in SSL VPN authentication Rule

This article describes how the local user entry or the group configuration in the firewall policy and SSL VPN setting behaves when a user tries to connect.

A firewall admin configures SSLVPN firewall policies for a specific user.

The SSL VPN authentication rule is for the entire LDAP group.

Those users are also part of that LDAP group. However, when the user tries to connect to SSLVPN, it fails.
The configuration looks like below:

User Imported from LDAP.

# config user local

    edit "prateek"

        set type ldap

        set ldap-server "My-LDAP"

    next

end

User Group.

# config user group

    edit "Domain Group"

        set member "My-LDAP"

# config match

    edit 1

        set server-name "My-LDAP"

        set group-name "CN=Domain Users,CN=Users,DC=SISCO,DC=com"

    next

end

Firewall Policy: (showing only important parameters).

# config firewall policy

    edit 1

        set name "SSL-to-LAN-Specific-User"

        set srcintf "ssl.root"

        set dstintf "port2"

        set action accept

        set srcaddr "SSLVPN_TUNNEL_ADDR1"

        set dstaddr "all"

        set users "prateek"

    next

    edit 2

        set name "All_other"

        set srcintf "ssl.root"

        set dstintf "port1"

        set action accept

        set srcaddr "SSLVPN_TUNNEL_ADDR1"

        set dstaddr "all"

        set nat enable

        set groups "Domain Group"

    next

end

SSL VPN Setting.

# config vpn ssl settings

    set servercert "self-sign"

    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

    set source-interface "port1"

    set default-portal "web-access"

    config authentication-rule

        edit 1

            set groups "Domain Group"

            set portal "tunnel-access"

        next

    end

end

Here the default SSL portal is configured as Web-access.

A general understanding would be the user should be able to connect to the VPN with the FortiClient.

However, the debug says differently:

After authentication, the user would be mapped to the default portal.

Debug below:

# [2232:root:2]allocSSLConn:297 sconn 0x7ffa19d99e00 (0:root)

[2232:root:2]SSL state:before SSL initialization (10.5.27.2)

[2232:root:2]SSL state:before SSL initialization (10.5.27.2)

[2232:root:3]rmt_web_access_check:739 access failed, uri=[/remote/logincheck],ret=4103,

[2232:root:3]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[2232:root:3]rmt_logincheck_cb_handler:1285 user 'prateek' has a matched local entry.   <----- At this stage firewall found that the user matched local entry as  the user has been imported locally.

[2232:root:3]sslvpn_validate_user_group_list:1825 validating with SSL VPN authentication rules (1), realm ().   <---- Here the firewall is checking the SSL VPN authentication rule.

[2232:root:3]sslvpn_update_user_group_list:1771 got user (1:0), group (1:0), peer group (0) after update.      <---- Firewall checks the firewall policies for SSLVPN and add the user and group list.

[2232:root:3][fam_auth_send_req_internal:424] Groups sent to FNBAM:

[2232:root:3]group_desc[0].grpname = prateek

[2232:root:3]group_desc[1].grpname = Domain Group        <---- Firewall will only check authentication for both.

[1582] __group_match-User 'prateek' passed group matching

[1585] __group_match-Add matched user 'prateek'(16777218)

[1603] __group_match-Group 'Domain Group' passed group matching

[1606] __group_match-Add matched group 'Domain Group'(2)

[2690] fnbamd_ldap_result-Passed group matching

The above 5 lines define that the user and group are authenticated successfully.

[2232:root:3]Auth successful for user prateek

[2232:root:3]fam_do_cb:663 fnbamd return auth success.

[2232:root:3]SSL VPN login matched rule (0).   <---- After authentication firewall checks for the SSL VPN setting. As it did not find any rule for the user specifically it matched Rule '0' which is the default rule.

[2232:root:3]got public IP address: X.X.X.X

[2232:root:3]deconstruct_session_id:694 decode session id ok, user=[prateek], group=[],authserver=[My-LDAP],portal=[web-access],host[10.5.27.2],realm=[],csrf_token=[6254EE3AC06AF4B53A89C123D215C7],idx=0,auth=16,sid=38b70ccb,login=1638168992,access=1638168992,saml_logout_url=no,pip=X.X.X.X  <--- It is possible to see there is no Group info and the portal is web portal.

There are two types of Solutions available for such scenarios.

1) It is possible add the user-specific settings in the SSL VPN authentication rule.

It is the same way to map the user group with the SSL portal. 

Create a new rule for those users alone and map them to a single portal.

So as the above SSL Settings, it is necessay to add another rule like below:

# config vpn ssl settings

# config authentication-rule

    edit 1

        set groups "Domain Group"

        set portal "tunnel-access"

    next

        edit 2

            set user "prateek"

            set portal "tunnel-access"

        next

    end

2) The first solution could work if there are fewer users to configure.

If more and more users come, then it would be difficult to create numbers of rules under SSL Settings. 

Hence,  a user group is created in the firewall and add those imported users to the group, and then map the group to the SSL portal.

The configuration will look like below:

# config user group

    edit "SSL-Group"
        set member "prateek"
    next

end

# config vpn ssl settings

# config authentication-rule

    edit 1

        set groups "Domain Group"

         set portal "tunnel-access"

    next

        edit 1

            set groups "SSL-Group"

            set portal "tunnel-access"

        next
end