Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Andy_R
New Contributor

SSL VPN using RADIUS "unknown user"

Hello,

 

I am configuring the SSL VPN on a FortiGate 100D running firmware 6.0.5. I have setup RADIUS auth because we are using Duo MFA. When I use the "Test User Credentials" option it's successful. Although, when I try to connect to the VPN, it fails. The logs on the FortiGate say "ssl-login-fail Reason: sslvpn_login_unknown_user".

 

Up until recently, users were using local accounts on the firewall to connect to the VPN. I'm suspecting the FortiGate thinks my user is a local user and isn't finding it. The VPN setup has my new group using RADIUS listed and mapped to a portal, so I'm not sure what I'm doing wrong. Any suggestions?

1 Solution
Toshi_Esumi
Esteemed Contributor II

If you still have doubt the FGT is not sending an auth request to Duo side, you can sniff packet for UDP 1812 with Duo's server IP. If you do it with outgoin interface with option 6, you can convert the capture to a PCAP file that Wireshark can open. Then you can see what the FGT sent and what Duo replied back.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-diagnose-sniffer-packet-data...

View solution in original post

3 REPLIES 3
Toshi_Esumi
Esteemed Contributor II

I don't think so. As long as you removed the local user from the SSLVPN user group, the FGT wouldn't look for it in local users.

The GUI's user credential test at least with that old version doesn't check actual credential but just check reachability. To test a user credential, you have to use CLI:

diag test authserver radius <server_name> [pap|chap|...] "<user_name>" "<password>"

 

Toshi

Andy_R

Interesting, because I had that thought and tried testing with an intentionally wrong password and it failed. The test account I'm using only exists in AD. No local account on the fortigate with the same name. I'm leaning towards this being a bug at this point. Will be upgrading the firmware to rule that out at least.

Toshi_Esumi
Esteemed Contributor II

If you still have doubt the FGT is not sending an auth request to Duo side, you can sniff packet for UDP 1812 with Duo's server IP. If you do it with outgoin interface with option 6, you can convert the capture to a PCAP file that Wireshark can open. Then you can see what the FGT sent and what Duo replied back.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-diagnose-sniffer-packet-data...