Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zorg1983
New Contributor

User unable to connect to VPN - unknow user

Hello All,

 

I have a strange issue , i have a Fortigate 500D , with LDAP server configured .

 

I have a user X who can't the VPN. once he tries to connect it gives the error - Permission denied.

 

All other users from the same container in the AD are able to connect. only this user.

 

I tried to reset the password , unlocked the account . nothing.

 

Any suggestions?

 

Joe.

10 REPLIES 10
Ralph1973
Contributor

Hi try to troubleshoot the sslvpn connection by debugging it to see what happens

 

and test whether the authentication works, by using the following examples

[ul]
  • ssl vpn ldap authenticatie[/ul]

    test ldap auth met ldap server

    diag test authserver ldap "KA.companyname.local" "user1" "password123"
    [ul]
  • sslvpn debuggen[/ul]
    diagnose debug application sslvpn -1
    [ul]
  • authenticatie debuggen[/ul]
    dia deb app fnbamd 255
    dia deb console
    dia deb en

     

    Hopefully this makes things clear to you

     

    Kind regards,

    Ralph Willemsen

  • zorg1983

    Ralph

     

    This is what i got:

     

    fnbamd_ldap.c[485] get_all_dn-Found 1 DN's fnbamd_ldap.c[519] start_next_dn_bind-Trying DN 1:CN=משען אירית,OU=מח' מיחשוב ומערכות מידע,OU=בניין העירייה.נודאו 17,OU=משתמשים,DC=bat-yam,DC=local fnbamd_ldap.c[1778] fnbamd_ldap_get_result-Going to USERBIND state fnbamd_fsm.c[2473] auth_ldap_result-Continue pending for req 1903 fnbamd_ldap.c[503] start_next_dn_bind-No more DN left fnbamd_ldap.c[2025] fnbamd_ldap_get_result-Auth denied fnbamd_auth.c[2351] fnbamd_auth_poll_ldap-Result for ldap svr 10.21.21.210 is denied fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 1 for req 1903 fnbamd_fsm.c[565] destroy_auth_session-delete session 1903 [94:root:3788]fam_auth_send_req:514 with server blacklist: #bat-yam_DC [94:root:3788]fnbamd_fsm.c[1879] handle_req-Rcvd auth req 1904 for irit in BAT_VPN_Users opt=00000100 prot=10 fnbamd_fsm.c[336] __compose_group_list_from_req-Group 'BAT_VPN_Users' fnbamd_pop3.c[573] fnbamd_pop3_start-irit fnbamd_auth.c[303] radius_start-Didn't find radius servers (0) fnbamd_auth.c[688] auth_tac_plus_start-Didn't find tac_plus servers (0) fnbamd_auth.c[409] ldap_start-Didn't find ldap servers (0) fnbamd_fsm.c[417] create_auth_session-Error starting authentication fnbamd_fsm.c[1898] handle_req-Error creating session fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 3 for req 1904 [94:root:3788]fam_auth_send_req:514 with server blacklist: #bat-yam_DC [94:root:3788]fam_auth_send_req:602 task finished with 5 [94:root:3788]rmt_logincheck.c:250 user[irit],auth_type=1 failed [sslvpn_login_unknown_user] [94:root:0]rmt_websession.c:77 status=1;host=81.218.192.40;fails=1;logintime=1430826817 [94:root:3788]rmt_authutil.c:418 no session id in auth info [94:root:3788]rmt_authutil.c:700 invalid cache, ret=4103 [94:root:3788]Timeout for connection 0x2a98cc6c00.

    Ralph1973

    Hi, well it looks like your fortigate doesn't have access to the DC (ldap connection).

    Please also check whether there might be local users configured with same username?

     

    Regards,

    Ralph

    zorg1983

    Ralph1973 wrote:

    Hi, well it looks like your fortigate doesn't have access to the DC (ldap connection).

    Please also check whether there might be local users configured with same username?

     

    Regards,

    Ralph

     

    Hey,

     

    I just tested and the connection is successful .. also there is no local user with such name.

     

    Its weird.

     

    Joe.

    zorg1983
    New Contributor

    Problem solved. it was an issue with the user itself in the AD .

     

    Joe.

    JaapHoetmer
    New Contributor III

    Hi there

     

    I had a similar issue and I found out that the user(s) need to be in a valid OU in Active Directory for it to work, they can't be in the Users folder. In Win2012 Essentials, users created via the Dashboard are by default created in the Users folder, strangely enough. They need to move to an OU before the Fotigate LDAP authentication can work.

     

    Cheers

    Jaap

    Kind regards, Jaap
    Kind regards, Jaap
    Anne
    New Contributor III

    Hi Joe,

     

    I am running into a similar issue. Can you please update here how you fixed the issue?

     

    Thanks

    Anne

    michaeladriannewton
    New Contributor

    Hi Joe,

     

    Not really an answer to your question but just out of interest, what type of VPN are you using for your remote users with LDAP integration?

     

    I'm currently setting up an L2TP/IPsec VPN connection with LDAP user authentication but we little to no success so looking for another solution.

     

    Cheers

     

    Michael

    aaqibk

    [163:root:32]login_failed:260 user[test104],auth_type=1 failed [sslvpn_login_unknown_user]

     

    can anyone here explain this ? 

     

    The issue is happening with VPN connectivity with LDAP user. 

    Labels
    Top Kudoed Authors