Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kallbrandt
Contributor II

Bug in 6.0.6 SSLVPN/LDAP user auth?

Just my findings about this. Someone else might be drowning in the same marsh..

 

I had serious problems with a client's 600D not honoring the configured LDAP groups for VPN authentication. It turned out that the Fortigate authenticated all users against radius... No radius users are configured. But during the auth sequence, the firewall check for radius config, then tacacs config, then ldap. If it finds a radius server, it proceeds to authenticate the users on that! I am still waiting for the TAC to tell me if this really is the expected behaviour, but I suspect not. It would be impossible to use more then one type of authentication server then. Well, as it is now at least. The solution for me was to remove the radius config - Hey presto! LDAP works, groups are honored!

 

Or wait, there was a 2nd snafu: LDAPS was configured, all checks were green in gui. But LDAP auth fails with "unsupported protocol" when you do your diag debug on auth...

Richie

NSE7

Richie NSE7
10 REPLIES 10
Toshi_Esumi

Just to confirm, I upgraded our FG60E HA cluster to 6.0.6 last night as I mentioned. But RADIUS auth with different servers for admin users and WiFi users still work as expected.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors