|
To address this issue, it is necessary to be verify if the issue matches to this article. Some debugs need to be enabled, and reproduce the issue:
- Enable debugs in the FortiNAC console, and tail 'output.master' while reproducing the issue:
execute enter-shell
nacdebug -name DirectoryManager true
nacdebug -name DirectoryAccess true
#Disable debugs after fininshing tshoot:
#nacdebug -name DirectoryManager false
#nacdebug -name DirectoryAccess false
logs
tail -f output.master
- Reproduce the issue. Stop debugs, and search for these lines. Filter out with search patterns like - 'DirectoryManager', or user account name:
yams INFO :: 2024-09-27 12:29:40:744 :: #65348 :: DirectoryUser::Returned from makeClient!!
yams.DirectoryManager FINER :: 2024-09-27 12:29:40:744 :: #65348 :: DirectoryManager::SUCCESS finding user1, ad
yams.DirectoryManager FINER :: 2024-09-27 12:29:40:744 :: #65348 :: kerberos login command /usr/bin/wbinfo --krb5auth=forti.lab\aduser1%
yams INFO :: 2024-09-27 12:29:40:846 :: #65348 :: No client found for ID of aduser1 com.bsc.api.client.AuthRegistrationsException: kerberosAuthentication: Failed to authenticate user: aduser1
com.bsc.api.client.AuthRegistrationsException: User is not in the directory.yams SEVERE :: 2024-09-27 12:29:40:847 :: #65348 :: at com.bsc.plugin.ldap.DirectoryManager.findDirectoryUser(DirectoryManager.java:734)
If there is the same output (below there are other debugs snippets to compare), then follow the article. Otherwise, provide a debug grab-log snapshot to the TAC with a timestamp, and test account.
To resolve this issue, LDAP settings, and Radius Winbind services need to be checked on FortiNAC side:
Technical Tip: MSCHAPv2 authentication, join FortiNAC in domain and checks
Troubleshooting Tip: FortiNAC Winbind Domain Join fails with 'Included profile file could not be rea...
Troubleshooting Tip: Local Winbind configuration fails to start
- Go to Admin GUI -> System -> Settings -> Authentication -> LDAP, select the appropriate LDAP server and select the 'Modify' button.
- Select ‘Additional settings’, and check if the attribute ‘NetBIOS name’ has been filled:
According to Configuration, the ‘NetBIOS name’ attribute should match the one configured in the Radius Winbind settings, in the case authentication needs to be processed with Kerberos protocol.
Additional outputs:
Configurations when authentication could fail:
- Different ‘Netbios name’ attribute values are specified.
- FortiNAC is not being joined to the domain, and the ‘NetBIOS name’ is configured on the LDAP settings.
Debug outputs when NetBIOS name is not similar (LDAP’s value is – ‘xyz.lab’, Radius Winbind value is ‘forti.lab’):
yams INFO :: 2024-09-27 12:57:13:421 :: #257951 :: DirectoryUser::Returned from makeClient!!
yams.DirectoryManager FINER :: 2024-09-27 12:57:13:421 :: #257951 :: DirectoryManager::SUCCESS finding user1, ad
yams.DirectoryManager FINER :: 2024-09-27 12:57:13:421 :: #257951 :: kerberos login command /usr/bin/wbinfo --krb5auth=xyz.lab\aduser1%
yams INFO :: 2024-09-27 12:57:13:525 :: #257951 :: No client found for ID of aduser1 com.bsc.api.client.AuthRegistrationsException: kerberosAuthentication: Failed to authenticate user: aduser1
com.bsc.api.client.AuthRegistrationsException: User is not in the directory.yams SEVERE :: 2024-09-27 12:57:13:525 :: #257951 :: at com.bsc.plugin.ldap.DirectoryManager.findDirectoryUser(DirectoryManager.java:734)
When values are the same (Winbind is enabled) – authentication is performed using Kerberos authentication:
yams.DirectoryManager FINER :: 2024-09-27 12:58:42:083 :: #259499 :: DirectoryManager::SUCCESS finding user1, ad
yams.DirectoryManager FINER :: 2024-09-27 12:58:42:083 :: #259499 :: kerberos login command /usr/bin/wbinfo --krb5auth=forti.lab\aduser1%
yams INFO :: 2024-09-27 12:58:42:088 :: #418 :: CommonMib getArpCacheSNMP error: 2 0 reading 1.3.6.1.2.1.4.22.1.2 from device 192.168.1.1
yams SEVERE :: 2024-09-27 12:58:42:089 :: #418 :: java.lang.NullPointerException
yams.DirectoryManager FINER :: 2024-09-27 12:58:42:187 :: #259499 :: DireectoryManager::kerberosAuthentication: SUCCESS aduser1
yams.DirectoryManager FINER :: 2024-09-27 12:58:42:292 :: #259499 :: DirectoryManager::findDirectoryUser SUCCESS Kerberos authenticating user1, ad
yams.DirectoryManager FINER :: 2024-09-27 12:58:42:292 :: #259499 :: DirectoryManager::findDirectoryUser() - loop thename UserRecord:
When the NetBIOS attribute is not specified on the LDAP Settings, authentication is processed with LDAP protocol:
yams INFO :: 2024-09-27 12:59:59:327 :: #65348 :: DirectoryUser::Returned from makeClient!!
yams.DirectoryManager FINER :: 2024-09-27 12:59:59:327 :: #65348 :: DirectoryManager::SUCCESS finding user1, ad
yams INFO :: 2024-09-27 12:59:59:327 :: #65348 :: Setting ldap referral to follow 192.168.40.10
yams.DirectoryManager FINER :: 2024-09-27 12:59:59:331 :: #65348 :: DirectoryManager::findDirectoryUser SUCCESS LDAP authenticating user1, ad
yams.DirectoryManager FINER :: 2024-09-27 12:59:59:331 :: #65348 :: DirectoryManager::findDirectoryUser() - loop thename UserRecord:
|
