|
Scenario:
- A firewall administrator has configured SSL VPN firewall policies for a specific user.
- The SSL VPN authentication rule references a firewall group.
- The user is part of that group. However, when the user tries to connect to SSLVPN, they do not get the SSL VPN portal matching their group.
An example configuration using LDAP groups follows.
The local user authenticating against an LDAP server:
config user local
edit "prateek"
set type ldap
set ldap-server "My-LDAP"
next
end
User Group:
config user group
edit "Domain Group"
set member "My-LDAP"
config match
edit 1
set server-name "My-LDAP"
set group-name "CN=Domain Users,CN=Users,DC=SISCO,DC=com"
next
end
next
end
Firewall Policy: (showing only important parameters):
config firewall policy
edit 1
set name "SSL-to-LAN-Specific-User"
set srcintf "ssl.root"
set dstintf "port2"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set users "prateek"
next
edit 2
set name "All_other"
set srcintf "ssl.root"
set dstintf "port1"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set nat enable
set groups "Domain Group"
next
end
SSL VPN Setting:
config vpn ssl settings
set servercert "self-sign"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set source-interface "port1"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "Domain Group"
set portal "tunnel-access"
next
end
end
Result:
- If firewall policy 1 did not exist or were disabled, user 'prateek' would match 'Domain Group' and get the 'tunnel-access' SSL VPN portal. Since the user is specified in at least one firewall policy FortiGate will check authentication rules using the specific user, not the group.
- Since there is no authentication rule for the user 'prateek', the client will get the default portal assigned to “All other Users/Groups.” The default SSL portal configured is 'web-access'.
Diagnostics from a connection attempt:
diagnose debug application sslvpn -1
diagnose debug enable
#<output omitted>
[2232:root:2]allocSSLConn:297 sconn 0x7ffa19d99e00 (0:root)
[2232:root:2]SSL state:before SSL initialization (10.5.27.2)
[2232:root:2]SSL state:before SSL initialization (10.5.27.2)
[2232:root:3]rmt_web_access_check:739 access failed, uri=[/remote/logincheck],ret=4103,
[2232:root:3]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[2232:root:3]rmt_logincheck_cb_handler:1285 user 'prateek' has a matched local entry. <----- FortiGate found a user with the same name is configured as a local firewall user.
[2232:root:3]sslvpn_validate_user_group_list:1825 validating with SSL VPN authentication rules (1), realm (). <---- Here the firewall is checking the SSL VPN authentication rule.
[2232:root:3]sslvpn_update_user_group_list:1771 got user (1:0), group (1:0), peer group (0) after update. <---- Firewall checks the firewall policies for SSLVPN and adds the user and group list.
[2232:root:3][fam_auth_send_req_internal:424] Groups sent to FNBAM:
[2232:root:3]group_desc[0].grpname = prateek
[2232:root:3]group_desc[1].grpname = Domain Group <---- Firewall will check credential for both.
[1582] __group_match-User 'prateek' passed group matching
[1585] __group_match-Add matched user 'prateek'(16777218)
[1603] __group_match-Group 'Domain Group' passed group matching
[1606] __group_match-Add matched group 'Domain Group'(2)
[2690] fnbamd_ldap_result-Passed group matching
The above 5 lines define that the user and group are authenticated successfully.
[2232:root:3]Auth successful for user prateek
[2232:root:3]fam_do_cb:663 fnbamd return auth success.
[2232:root:3]SSL VPN login matched rule (0). <---- After authentication firewall checks the SSL VPN setting. As it did not find any rule for the user specifically it matched Rule '0' which is the default rule.
[2232:root:3]got public IP address: X.X.X.X
[2232:root:3]deconstruct_session_id:694 decode session id ok, user=[prateek], group=[],authserver=[My-LDAP],portal=[web-access],host[10.5.27.2],realm=[],csrf_token=[6254EE3AC06AF4B53A89C123D215C7],idx=0,auth=16,sid=38b70ccb,login=1638168992,access=1638168992,saml_logout_url=no,pip=X.X.X.X <--- Because the specific user was checked, there is no Group info and the portal is web portal.
There are two general solutions available, and a note if the user is a member of multiple groups.
Solution 1: Add the specific user in an SSL VPN authentication rule.
Configuration is similar to assigning an SSL VPN portal to a user group. In the example configuration above, adding an authentication rule for “prateek” would allow them to be assigned the correct 'tunnel-access' portal.
Example configuration:
config vpn ssl settings
config authentication-rule
edit 1
set groups "Domain Group"
set portal "tunnel-access"
next
edit 2
set user "prateek"
set portal "tunnel-access"
next
end
end
Solution 2: Remove the user from all SSL VPN firewall policies, and use firewall groups in policies and authentication rules.
The previous option does not scale well if multiple users are configured on firewall policies or have different portal requirements.
In such cases, it is recommended to configure groups based on the access required and use these groups in authentication rules and firewall policies instead of the individual users.
Example configuration:
config user group
edit "SSL-Group"
set member "prateek"
next
end
config firewall policy
edit 1
set name "SSL-to-LAN-Specific-User"
set srcintf "ssl.root"
set dstintf "port2"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
unset users
set groups "SSL-Group"
next
end
config vpn ssl settings
config authentication-rule
edit 1
set groups "Domain Group"
set portal "tunnel-access"
next
edit 2
set groups "SSL-Group"
set portal "tunnel-access"
next
end
end
Note:
If a user is a member of multiple firewall groups and the groups have different portals assigned, SSL VPN realms may be necessary to ensure the connection attempt is matched to the correct portal. See 'SSL-VPN-multi-realm'.
Related article:
Technical Tip: A quick guide to FortiGate SSL VPN authentication and common issues and misunderstand...
|
