Hi all,
I have a setup with Fortiauthenticator (v6.6.0) and Fortigate 401F (v7.2.9), where FAC is fed by an openLDAP, and I use remote user sync rules to add users to groups created of FAC.
The thing is, I have several groups created on FAC, however the users can only connect to VPN if they are in a specific group (regardless of which group they belong on openLDAP).
I don't have any filters on the FAC policy.
This happens with, and without token.
I know that the problem is not related with the password.
Logs of the user connecting succefuly:
ESEnfC-1 # [3592:root:1c23e]allocSSLConn:310 sconn 0x7f201b4e7000 (0:root)
[3592:root:1c23e]SSL state:before SSL initialization (*.*.*.*)
[3592:root:1c23e]SSL state:fatal decode error (*.*.*.*)
[3592:root:1c23e]SSL state:error:(null)(*.*.*.*)
[3592:root:1c23e]SSL_accept failed, 1:unexpected eof while reading
[3592:root:1c23e]Destroy sconn 0x7f201b4e7000, connSize=1. (root)
[3593:root:1c23e]allocSSLConn:310 sconn 0x7f201b4e7800 (0:root)
[3593:root:1c23e]SSL state:before SSL initialization (*.*.*.*)
[3593:root:1c23e]SSL state:before SSL initialization (*.*.*.*)
[3593:root:1c23e]no SNI received
[3593:root:1c23e]client cert requirement: no
[3593:root:1c23e]SSL state:SSLv3/TLS read client hello (*.*.*.*)
[3593:root:1c23e]SSL state:SSLv3/TLS write server hello (*.*.*.*)
[3593:root:1c23e]SSL state:SSLv3/TLS write change cipher spec (*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 early data:(null)(*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23e]no SNI received
[3593:root:1c23e]client cert requirement: no
[3593:root:1c23e]SSL state:SSLv3/TLS read client hello (*.*.*.*)
[3593:root:1c23e]SSL state:SSLv3/TLS write server hello (*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 write encrypted extensions (*.*.*.*)
[3593:root:1c23e]SSL state:SSLv3/TLS write finished (*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 early data:(null)(*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23e]SSL state:SSLv3/TLS read finished (*.*.*.*)
[3593:root:1c23e]SSL state:SSLv3/TLS write session ticket (*.*.*.*)
[3593:root:1c23e]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[3593:root:1c23e]req: /remote/info
[3593:root:1c23e]capability flags: 0x1cdf
[3593:root:1c23e]req: /remote/login
[3593:root:1c23e]rmt_web_auth_info_parser_common:525 no session id in auth info
[3593:root:1c23e]rmt_web_get_access_cache:874 invalid cache, ret=4103
[3593:root:1c23e]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23e]get_cust_page:123 saml_info 0
[3593:root:1c23e]req: /remote/logincheck
[3593:root:1c23e]Transfer-Encoding n/a
[3593:root:1c23e]Content-Length 237
[3593:root:1c23e]readPostEnter:19 Post Data length 237.
[3593:root:1c23e]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23e]rmt_web_auth_info_parser_common:525 no session id in auth info
[3593:root:1c23e]rmt_web_access_check:793 access failed, uri=[/remote/logincheck],ret=4103,
[3593:root:1c23e]sslvpn_auth_check_usrgroup:3050 forming user/group list from policy.
[3593:root:1c23e]sslvpn_auth_check_usrgroup:3097 got user (2) group (3:0).
[3593:root:1c23e]sslvpn_validate_user_group_list:1940 validating with SSL VPN authentication rules (6), realm ().
[3593:root:1c23e]sslvpn_validate_user_group_list:2034 checking rule 1 cipher.
[3593:root:1c23e]sslvpn_validate_user_group_list:2042 checking rule 1 realm.
[3593:root:1c23e]sslvpn_validate_user_group_list:2053 checking rule 1 source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2092 checking rule 1 vd source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2591 rule 1 done, got user (1:0) group (0:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2034 checking rule 2 cipher.
[3593:root:1c23e]sslvpn_validate_user_group_list:2042 checking rule 2 realm.
[3593:root:1c23e]sslvpn_validate_user_group_list:2053 checking rule 2 source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2591 rule 2 done, got user (2:0) group (0:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2034 checking rule 3 cipher.
[3593:root:1c23e]sslvpn_validate_user_group_list:2042 checking rule 3 realm.
[3593:root:1c23e]sslvpn_validate_user_group_list:2053 checking rule 3 source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2591 rule 3 done, got user (2:0) group (0:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2034 checking rule 4 cipher.
[3593:root:1c23e]sslvpn_validate_user_group_list:2042 checking rule 4 realm.
[3593:root:1c23e]sslvpn_validate_user_group_list:2053 checking rule 4 source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2591 rule 4 done, got user (2:0) group (1:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2034 checking rule 5 cipher.
[3593:root:1c23e]sslvpn_validate_user_group_list:2042 checking rule 5 realm.
[3593:root:1c23e]sslvpn_validate_user_group_list:2053 checking rule 5 source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2591 rule 5 done, got user (2:0) group (2:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2034 checking rule 6 cipher.
[3593:root:1c23e]sslvpn_validate_user_group_list:2042 checking rule 6 realm.
[3593:root:1c23e]sslvpn_validate_user_group_list:2053 checking rule 6 source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2591 rule 6 done, got user (2:0) group (3:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2599 got user (2:0) group (3:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2946 got user (2:0), group (3:0) peer group (0).
[3593:root:1c23e]sslvpn_update_user_group_list:1834 got user (2:0), group (3:0), peer group (0) after update.
[3593:root:1c23e]two factor check for jloureiro: off
[3593:root:1c23e]sslvpn_authenticate_user:193 authenticate user: [jloureiro]
[3593:root:1c23e]sslvpn_authenticate_user:211 create fam state
[3593:root:1c23e][fam_auth_send_req_internal:430] Groups sent to FNBAM:
[3593:root:1c23e]group_desc[0].grpname = SSLVPN_Acesso_IT
[3593:root:1c23e]group_desc[1].grpname = SSLVPN_AcessoExterno_OneSource
[3593:root:1c23e]group_desc[2].grpname = SSLVPN_AcessoExterno_Noshut
[3593:root:1c23e][fam_auth_send_req_internal:442] FNBAM opt = 0X200421
[3593:root:1c23e]fam_auth_send_req_internal:518 fnbam_auth return: 4
[3593:root:1c23e]fam_auth_send_req:1019 task finished with 4
[3593:root:1c23e]fam_auth_proc_resp:1371 fnbam_auth_update_result return: 2 (challenged)
[3593:root:1c23e]req: /remote/logincheck
[3593:root:1c23e]Transfer-Encoding n/a
[3593:root:1c23e]Content-Length 113
[3593:root:1c23e]readPostEnter:19 Post Data length 113.
[3593:root:1c23e]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23e]rmt_web_auth_info_parser_common:525 no session id in auth info
[3593:root:1c23e]rmt_web_access_check:793 access failed, uri=[/remote/logincheck],ret=4103,
[3593:root:1c23e]got checking id 1-15d09a0b
[3593:root:1c23e]two factor check for jloureiro: off
[3593:root:1c23e]sslvpn_authenticate_user:193 authenticate user: [jloureiro]
[3593:root:1c23e]sslvpn_authenticate_user:211 create fam state
[3593:root:1c23e]user 'jloureiro' uses 2FA: ctx->peer_two_factor = 0, ctx->peer_name.peername = 0, ctx->is_two_factor = 1
[3593:root:1c23e][fam_auth_send_req_internal:430] Groups sent to FNBAM:
[3593:root:1c23e]group_desc[0].grpname = SSLVPN_Acesso_IT
[3593:root:1c23e]group_desc[1].grpname = SSLVPN_AcessoExterno_OneSource
[3593:root:1c23e]group_desc[2].grpname = SSLVPN_AcessoExterno_Noshut
[3593:root:1c23e][fam_auth_send_req_internal:442] FNBAM opt = 0X200421
[3593:root:1c23e]fam_auth_send_req_internal:491 fnbam_auth_token return: 4
[3593:root:1c23e]fam_auth_send_req:1019 task finished with 4
[3593:root:1c23e]fam_auth_proc_resp:1371 fnbam_auth_update_result return: 0 (success)
[3593:root:1c23e][fam_auth_proc_resp:1472] Authenticated groups (1) by FNBAM with auth_type (2):
[3593:root:1c23e]Received: auth_rsp_data.grp_list[0] = 4
[3593:root:1c23e]fam_auth_proc_resp:1497 found node SSLVPN_AcessoExterno_Noshut:0:, valid:1, auth:0
[3593:root:1c23e]Validated: auth_rsp_data.grp_list[0] = SSLVPN_AcessoExterno_Noshut
[3593:root:1c23e]use radius server interval setting
[3593:root:1c23e]Auth successful for user jloureiro in group SSLVPN_AcessoExterno_Noshut
[3593:root:1c23e]fam_do_cb:683 fnbamd return auth success.
[3593:root:1c23e]SSL VPN login matched rule (4).
[3593:root:1c23e]got public IP address: *.*.*.*
[3593:root:1c23e]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23e]rmt_web_session_create:1016 create web session, idx[1]
[3593:root:1c23e]login_succeeded:554 redirect to hostcheck
[3593:root:1c23e]Transfer-Encoding n/a
[3593:root:1c23e]Content-Length 113
[3593:root:1c23e]rmt_hcinstall_cb_handler:210 enter
[3593:root:1c23e]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23e]rmt_hcinstall_cb_handler:288 hostchk needed : 0.
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]Transfer-Encoding n/a
[3593:root:1c23e]Content-Length 113
[3593:root:1c23e]req: /remote/fortisslvpn
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23e]req: /remote/fortisslvpn_xml
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]sslvpn_reserve_dynip:1544 tunnel vd[root] ip[10.212.134.201] app session idx[1]
[3589:root:1c23e]allocSSLConn:310 sconn 0x7f201b4e7000 (0:root)
[3589:root:1c23e]SSL state:before SSL initialization (*.*.*.*)
[3589:root:1c23e]SSL state:before SSL initialization (*.*.*.*)
[3589:root:1c23e]no SNI received
[3589:root:1c23e]client cert requirement: no
[3589:root:1c23e]SSL state:SSLv3/TLS read client hello (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write server hello (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write change cipher spec (*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 early data:(null)(*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3589:root:1c23e]no SNI received
[3589:root:1c23e]client cert requirement: no
[3589:root:1c23e]SSL state:SSLv3/TLS read client hello (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write server hello (*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 write encrypted extensions (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write certificate (*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 write server certificate verify (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write finished (*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 early data:(null)(*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS read finished (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write session ticket (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write session ticket (*.*.*.*)
[3589:root:1c23e]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[3589:root:1c23e]req: /remote/sslvpn-tunnel2?dns0=192.168.1.1&
[3589:root:1c23e]sslvpn_tunnel2_handler,60, Calling rmt_conn_access_ex.
[3589:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3589:root:1c23e]normal tunnel2 request received.
[3589:root:1c23e]sslvpn_tunnel2_handler,171, fct_uuid = 8333A15302634E6BB0308B658C976DFE
[3589:root:1c23e]sslvpn_tunnel2_handler,179, Calling tunnel2 with hostname diogo_noshut.
[3589:root:1c23e]tunnel2_enter:1559 0x7f201b4e7000:0x7f201a770000 sslvpn user[jloureiro],type 2,logintime 0 vd 0 vrf 0
[3589:root:1c23e]tun dev (ssl.root) opened (33)
[3589:root:1c23e]fsv_associate_fd_to_ipaddr:2360 associate 10.212.134.201 to tun (ssl.root:33)
[3589:root:1c23e]fsv_tunnel2_common_link_up:471 Framed IP is set to 10.212.134.201
[3589:root:1c23e]proxy arp: scanning 53 interfaces for IP 10.212.134.201
[3589:root:1c23e]no ethernet address for proxy ARP
[3589:root:1c23e]sslvpn_user_match:1171 add user jloureiro in group SSLVPN_AcessoExterno_Noshut
[3589:root:1c23e]Will add auth policy for policy 100
[3589:root:1c23e]Add auth logon for user jloureiro:SSLVPN_AcessoExterno_Noshut, matched group number 1
[3593:root:1c23e]SSL state:fatal decode error (*.*.*.*)
[3593:root:1c23e]sslvpn_read_request_common,863, ret=-1 error=-1, sconn=0x7f201b4e7800.
[3593:root:1c23e]Destroy sconn 0x7f201b4e7800, connSize=0. (root)
Logs of the user trying to connect and getting "Permission denied (-455)"
[3592:root:1c23b]SSL state:before SSL initialization (*.*.*.*)
[3592:root:1c23b]SSL state:fatal decode error (*.*.*.*)
[3592:root:1c23b]SSL state:error:(null)(*.*.*.*)
[3592:root:1c23b]SSL_accept failed, 1:unexpected eof while reading
[3592:root:1c23b]Destroy sconn 0x7f201b4e7000, connSize=1. (root)
[3593:root:1c23b]allocSSLConn:310 sconn 0x7f201b4e7800 (0:root)
[3593:root:1c23b]SSL state:before SSL initialization (*.*.*.*)
[3593:root:1c23b]SSL state:before SSL initialization (*.*.*.*)
[3593:root:1c23b]no SNI received
[3593:root:1c23b]client cert requirement: no
[3593:root:1c23b]SSL state:SSLv3/TLS read client hello (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write server hello (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write change cipher spec (*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 early data:(null)(*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23b]no SNI received
[3593:root:1c23b]client cert requirement: no
[3593:root:1c23b]SSL state:SSLv3/TLS read client hello (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write server hello (*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 write encrypted extensions (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write certificate (*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 write server certificate verify (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write finished (*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 early data:(null)(*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS read finished (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write session ticket (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write session ticket (*.*.*.*)
[3593:root:1c23b]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[3593:root:1c23b]req: /remote/info
[3593:root:1c23b]capability flags: 0x1cdf
[3593:root:1c23b]req: /remote/login
[3593:root:1c23b]rmt_web_auth_info_parser_common:525 no session id in auth info
[3593:root:1c23b]rmt_web_get_access_cache:874 invalid cache, ret=4103
[3593:root:1c23b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23b]get_cust_page:123 saml_info 0
[3593:root:1c23b]req: /remote/logincheck
[3593:root:1c23b]Transfer-Encoding n/a
[3593:root:1c23b]Content-Length 205
[3593:root:1c23b]readPostEnter:19 Post Data length 205.
[3593:root:1c23b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23b]rmt_web_auth_info_parser_common:525 no session id in auth info
[3593:root:1c23b]rmt_web_access_check:793 access failed, uri=[/remote/logincheck],ret=4103,
[3593:root:1c23b]sslvpn_auth_check_usrgroup:3050 forming user/group list from policy.
[3593:root:1c23b]sslvpn_auth_check_usrgroup:3097 got user (2) group (3:0).
[3593:root:1c23b]sslvpn_validate_user_group_list:1940 validating with SSL VPN authentication rules (6), realm ().
[3593:root:1c23b]sslvpn_validate_user_group_list:2034 checking rule 1 cipher.
[3593:root:1c23b]sslvpn_validate_user_group_list:2042 checking rule 1 realm.
[3593:root:1c23b]sslvpn_validate_user_group_list:2053 checking rule 1 source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2092 checking rule 1 vd source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2591 rule 1 done, got user (1:0) group (0:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2034 checking rule 2 cipher.
[3593:root:1c23b]sslvpn_validate_user_group_list:2042 checking rule 2 realm.
[3593:root:1c23b]sslvpn_validate_user_group_list:2053 checking rule 2 source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2591 rule 2 done, got user (2:0) group (0:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2034 checking rule 3 cipher.
[3593:root:1c23b]sslvpn_validate_user_group_list:2042 checking rule 3 realm.
[3593:root:1c23b]sslvpn_validate_user_group_list:2053 checking rule 3 source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2591 rule 3 done, got user (2:0) group (0:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2034 checking rule 4 cipher.
[3593:root:1c23b]sslvpn_validate_user_group_list:2042 checking rule 4 realm.
[3593:root:1c23b]sslvpn_validate_user_group_list:2053 checking rule 4 source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2591 rule 4 done, got user (2:0) group (1:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2034 checking rule 5 cipher.
[3593:root:1c23b]sslvpn_validate_user_group_list:2042 checking rule 5 realm.
[3593:root:1c23b]sslvpn_validate_user_group_list:2053 checking rule 5 source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2591 rule 5 done, got user (2:0) group (2:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2034 checking rule 6 cipher.
[3593:root:1c23b]sslvpn_validate_user_group_list:2042 checking rule 6 realm.
[3593:root:1c23b]sslvpn_validate_user_group_list:2053 checking rule 6 source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2591 rule 6 done, got user (2:0) group (3:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2599 got user (2:0) group (3:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2946 got user (2:0), group (3:0) peer group (0).
[3593:root:1c23b]sslvpn_update_user_group_list:1834 got user (2:0), group (3:0), peer group (0) after update.
[3593:root:1c23b]two factor check for teste2222: off
[3593:root:1c23b]sslvpn_authenticate_user:193 authenticate user: [teste2222]
[3593:root:1c23b]sslvpn_authenticate_user:211 create fam state
[3593:root:1c23b][fam_auth_send_req_internal:430] Groups sent to FNBAM:
[3593:root:1c23b]group_desc[0].grpname = SSLVPN_Acesso_IT
[3593:root:1c23b]group_desc[1].grpname = SSLVPN_AcessoExterno_OneSource
[3593:root:1c23b]group_desc[2].grpname = SSLVPN_AcessoExterno_Noshut
[3593:root:1c23b][fam_auth_send_req_internal:442] FNBAM opt = 0X200421
[3593:root:1c23b]fam_auth_send_req_internal:518 fnbam_auth return: 4
[3593:root:1c23b]fam_auth_send_req:1019 task finished with 4
[3593:root:1c23b]fam_auth_proc_resp:1371 fnbam_auth_update_result return: 1 (invalue username/password)
[3593:root:1c23b]login_failed:405 user[teste2222],auth_type=2 failed [sslvpn_login_permission_denied]
[3593:root:1c23b]Transfer-Encoding n/a
[3593:root:1c23b]Content-Length 205
Thanks.
Solved! Go to Solution.
So, problem is that I was missing to "create" the group name as a radius attribute of FAC.
So, problem is that I was missing to "create" the group name as a radius attribute of FAC.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.