ForticlientVPN - Permission denied (-455)

jloureiro · ‎11-04-2024

Hi all,

I have a setup with Fortiauthenticator (v6.6.0) and Fortigate 401F (v7.2.9), where FAC is fed by an openLDAP, and I use remote user sync rules to add users to groups created of FAC.

The thing is, I have several groups created on FAC, however the users can only connect to VPN if they are in a specific group (regardless of which group they belong on openLDAP).

I don't have any filters on the FAC policy.

This happens with, and without token.

I know that the problem is not related with the password.

Logs of the user connecting succefuly:

ESEnfC-1 # [3592:root:1c23e]allocSSLConn:310 sconn 0x7f201b4e7000 (0:root)
[3592:root:1c23e]SSL state:before SSL initialization (*.*.*.*)
[3592:root:1c23e]SSL state:fatal decode error (*.*.*.*)
[3592:root:1c23e]SSL state:error:(null)(*.*.*.*)
[3592:root:1c23e]SSL_accept failed, 1:unexpected eof while reading
[3592:root:1c23e]Destroy sconn 0x7f201b4e7000, connSize=1. (root)
[3593:root:1c23e]allocSSLConn:310 sconn 0x7f201b4e7800 (0:root)
[3593:root:1c23e]SSL state:before SSL initialization (*.*.*.*)
[3593:root:1c23e]SSL state:before SSL initialization (*.*.*.*)
[3593:root:1c23e]no SNI received
[3593:root:1c23e]client cert requirement: no
[3593:root:1c23e]SSL state:SSLv3/TLS read client hello (*.*.*.*)
[3593:root:1c23e]SSL state:SSLv3/TLS write server hello (*.*.*.*)
[3593:root:1c23e]SSL state:SSLv3/TLS write change cipher spec (*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 early data:(null)(*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23e]no SNI received
[3593:root:1c23e]client cert requirement: no
[3593:root:1c23e]SSL state:SSLv3/TLS read client hello (*.*.*.*)
[3593:root:1c23e]SSL state:SSLv3/TLS write server hello (*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 write encrypted extensions (*.*.*.*)
																	  
																				  
[3593:root:1c23e]SSL state:SSLv3/TLS write finished (*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 early data:(null)(*.*.*.*)
[3593:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23e]SSL state:SSLv3/TLS read finished (*.*.*.*)
																		 
[3593:root:1c23e]SSL state:SSLv3/TLS write session ticket (*.*.*.*)
[3593:root:1c23e]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[3593:root:1c23e]req: /remote/info
[3593:root:1c23e]capability flags: 0x1cdf
[3593:root:1c23e]req: /remote/login
[3593:root:1c23e]rmt_web_auth_info_parser_common:525 no session id in auth info
[3593:root:1c23e]rmt_web_get_access_cache:874 invalid cache, ret=4103
[3593:root:1c23e]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23e]get_cust_page:123 saml_info 0
[3593:root:1c23e]req: /remote/logincheck
[3593:root:1c23e]Transfer-Encoding n/a
[3593:root:1c23e]Content-Length 237
[3593:root:1c23e]readPostEnter:19 Post Data length 237.
[3593:root:1c23e]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23e]rmt_web_auth_info_parser_common:525 no session id in auth info
[3593:root:1c23e]rmt_web_access_check:793 access failed, uri=[/remote/logincheck],ret=4103,
[3593:root:1c23e]sslvpn_auth_check_usrgroup:3050 forming user/group list from policy.
[3593:root:1c23e]sslvpn_auth_check_usrgroup:3097 got user (2) group (3:0).
[3593:root:1c23e]sslvpn_validate_user_group_list:1940 validating with SSL VPN authentication rules (6), realm ().
[3593:root:1c23e]sslvpn_validate_user_group_list:2034 checking rule 1 cipher.
[3593:root:1c23e]sslvpn_validate_user_group_list:2042 checking rule 1 realm.
[3593:root:1c23e]sslvpn_validate_user_group_list:2053 checking rule 1 source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2092 checking rule 1 vd source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2591 rule 1 done, got user (1:0) group (0:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2034 checking rule 2 cipher.
[3593:root:1c23e]sslvpn_validate_user_group_list:2042 checking rule 2 realm.
[3593:root:1c23e]sslvpn_validate_user_group_list:2053 checking rule 2 source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2591 rule 2 done, got user (2:0) group (0:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2034 checking rule 3 cipher.
[3593:root:1c23e]sslvpn_validate_user_group_list:2042 checking rule 3 realm.
[3593:root:1c23e]sslvpn_validate_user_group_list:2053 checking rule 3 source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2591 rule 3 done, got user (2:0) group (0:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2034 checking rule 4 cipher.
[3593:root:1c23e]sslvpn_validate_user_group_list:2042 checking rule 4 realm.
[3593:root:1c23e]sslvpn_validate_user_group_list:2053 checking rule 4 source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2591 rule 4 done, got user (2:0) group (1:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2034 checking rule 5 cipher.
[3593:root:1c23e]sslvpn_validate_user_group_list:2042 checking rule 5 realm.
[3593:root:1c23e]sslvpn_validate_user_group_list:2053 checking rule 5 source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2591 rule 5 done, got user (2:0) group (2:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2034 checking rule 6 cipher.
[3593:root:1c23e]sslvpn_validate_user_group_list:2042 checking rule 6 realm.
[3593:root:1c23e]sslvpn_validate_user_group_list:2053 checking rule 6 source intf.
[3593:root:1c23e]sslvpn_validate_user_group_list:2591 rule 6 done, got user (2:0) group (3:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2599 got user (2:0) group (3:0) peer group (0).
[3593:root:1c23e]sslvpn_validate_user_group_list:2946 got user (2:0), group (3:0) peer group (0).
[3593:root:1c23e]sslvpn_update_user_group_list:1834 got user (2:0), group (3:0), peer group (0) after update.
[3593:root:1c23e]two factor check for jloureiro: off
[3593:root:1c23e]sslvpn_authenticate_user:193 authenticate user: [jloureiro]
[3593:root:1c23e]sslvpn_authenticate_user:211 create fam state
[3593:root:1c23e][fam_auth_send_req_internal:430] Groups sent to FNBAM:
[3593:root:1c23e]group_desc[0].grpname = SSLVPN_Acesso_IT
[3593:root:1c23e]group_desc[1].grpname = SSLVPN_AcessoExterno_OneSource
[3593:root:1c23e]group_desc[2].grpname = SSLVPN_AcessoExterno_Noshut
[3593:root:1c23e][fam_auth_send_req_internal:442] FNBAM opt = 0X200421
[3593:root:1c23e]fam_auth_send_req_internal:518 fnbam_auth return: 4
[3593:root:1c23e]fam_auth_send_req:1019 task finished with 4
[3593:root:1c23e]fam_auth_proc_resp:1371 fnbam_auth_update_result return: 2 (challenged)
[3593:root:1c23e]req: /remote/logincheck
[3593:root:1c23e]Transfer-Encoding n/a
[3593:root:1c23e]Content-Length 113
[3593:root:1c23e]readPostEnter:19 Post Data length 113.
[3593:root:1c23e]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23e]rmt_web_auth_info_parser_common:525 no session id in auth info
[3593:root:1c23e]rmt_web_access_check:793 access failed, uri=[/remote/logincheck],ret=4103,
[3593:root:1c23e]got checking id 1-15d09a0b
[3593:root:1c23e]two factor check for jloureiro: off
[3593:root:1c23e]sslvpn_authenticate_user:193 authenticate user: [jloureiro]
[3593:root:1c23e]sslvpn_authenticate_user:211 create fam state
[3593:root:1c23e]user 'jloureiro' uses 2FA: ctx->peer_two_factor = 0, ctx->peer_name.peername = 0, ctx->is_two_factor = 1
[3593:root:1c23e][fam_auth_send_req_internal:430] Groups sent to FNBAM:
[3593:root:1c23e]group_desc[0].grpname = SSLVPN_Acesso_IT
[3593:root:1c23e]group_desc[1].grpname = SSLVPN_AcessoExterno_OneSource
[3593:root:1c23e]group_desc[2].grpname = SSLVPN_AcessoExterno_Noshut
[3593:root:1c23e][fam_auth_send_req_internal:442] FNBAM opt = 0X200421
[3593:root:1c23e]fam_auth_send_req_internal:491 fnbam_auth_token return: 4
[3593:root:1c23e]fam_auth_send_req:1019 task finished with 4
[3593:root:1c23e]fam_auth_proc_resp:1371 fnbam_auth_update_result return: 0 (success)
[3593:root:1c23e][fam_auth_proc_resp:1472] Authenticated groups (1) by FNBAM with auth_type (2):
[3593:root:1c23e]Received: auth_rsp_data.grp_list[0] = 4
[3593:root:1c23e]fam_auth_proc_resp:1497 found node SSLVPN_AcessoExterno_Noshut:0:, valid:1, auth:0
[3593:root:1c23e]Validated: auth_rsp_data.grp_list[0] = SSLVPN_AcessoExterno_Noshut
[3593:root:1c23e]use radius server interval setting
[3593:root:1c23e]Auth successful for user jloureiro in group SSLVPN_AcessoExterno_Noshut
[3593:root:1c23e]fam_do_cb:683 fnbamd return auth success.
[3593:root:1c23e]SSL VPN login matched rule (4).
[3593:root:1c23e]got public IP address: *.*.*.*
[3593:root:1c23e]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23e]rmt_web_session_create:1016 create web session, idx[1]
[3593:root:1c23e]login_succeeded:554 redirect to hostcheck
[3593:root:1c23e]Transfer-Encoding n/a
[3593:root:1c23e]Content-Length 113
[3593:root:1c23e]rmt_hcinstall_cb_handler:210 enter
[3593:root:1c23e]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23e]rmt_hcinstall_cb_handler:288 hostchk needed : 0.
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]Transfer-Encoding n/a
[3593:root:1c23e]Content-Length 113
[3593:root:1c23e]req: /remote/fortisslvpn
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23e]req: /remote/fortisslvpn_xml
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3593:root:1c23e]sslvpn_reserve_dynip:1544 tunnel vd[root] ip[10.212.134.201] app session idx[1]
[3589:root:1c23e]allocSSLConn:310 sconn 0x7f201b4e7000 (0:root)
[3589:root:1c23e]SSL state:before SSL initialization (*.*.*.*)
[3589:root:1c23e]SSL state:before SSL initialization (*.*.*.*)
[3589:root:1c23e]no SNI received
[3589:root:1c23e]client cert requirement: no
[3589:root:1c23e]SSL state:SSLv3/TLS read client hello (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write server hello (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write change cipher spec (*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 early data:(null)(*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3589:root:1c23e]no SNI received
[3589:root:1c23e]client cert requirement: no
[3589:root:1c23e]SSL state:SSLv3/TLS read client hello (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write server hello (*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 write encrypted extensions (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write certificate (*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 write server certificate verify (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write finished (*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 early data:(null)(*.*.*.*)
[3589:root:1c23e]SSL state:TLSv1.3 early data (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS read finished (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write session ticket (*.*.*.*)
[3589:root:1c23e]SSL state:SSLv3/TLS write session ticket (*.*.*.*)
[3589:root:1c23e]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[3589:root:1c23e]req: /remote/sslvpn-tunnel2?dns0=192.168.1.1&
[3589:root:1c23e]sslvpn_tunnel2_handler,60, Calling rmt_conn_access_ex.
[3589:root:1c23e]deconstruct_session_id:492 decode session id ok, user=[jloureiro], group=[SSLVPN_AcessoExterno_Noshut],authserver=[SSL-VPN-FAC],portal=[tunnel_noshut],host[*.*.*.*],realm=[],csrf_token=[A2CBB09F8DF483FCE6FC72E5F35642B],idx=1,auth=2,sid=5731471,login=1730724788,access=1730724788,saml_logout_url=no,pip=*.*.*.*,grp_info=[cUlq1T],rmt_grp_info=[jlHqbR]
[3589:root:1c23e]normal tunnel2 request received.
[3589:root:1c23e]sslvpn_tunnel2_handler,171, fct_uuid = 8333A15302634E6BB0308B658C976DFE
[3589:root:1c23e]sslvpn_tunnel2_handler,179, Calling tunnel2 with hostname diogo_noshut.
[3589:root:1c23e]tunnel2_enter:1559 0x7f201b4e7000:0x7f201a770000 sslvpn user[jloureiro],type 2,logintime 0 vd 0 vrf 0
[3589:root:1c23e]tun dev (ssl.root) opened (33)
[3589:root:1c23e]fsv_associate_fd_to_ipaddr:2360 associate 10.212.134.201 to tun (ssl.root:33)
[3589:root:1c23e]fsv_tunnel2_common_link_up:471 Framed IP is set to 10.212.134.201
[3589:root:1c23e]proxy arp: scanning 53 interfaces for IP 10.212.134.201
[3589:root:1c23e]no ethernet address for proxy ARP
[3589:root:1c23e]sslvpn_user_match:1171 add user jloureiro in group SSLVPN_AcessoExterno_Noshut
[3589:root:1c23e]Will add auth policy for policy 100
[3589:root:1c23e]Add auth logon for user jloureiro:SSLVPN_AcessoExterno_Noshut, matched group number 1
[3593:root:1c23e]SSL state:fatal decode error (*.*.*.*)
[3593:root:1c23e]sslvpn_read_request_common,863, ret=-1 error=-1, sconn=0x7f201b4e7800.
[3593:root:1c23e]Destroy sconn 0x7f201b4e7800, connSize=0. (root)

Logs of the user trying to connect and getting "Permission denied (-455)"

			[3592:root:1c23b]SSL state:before SSL initialization (*.*.*.*)
[3592:root:1c23b]SSL state:fatal decode error (*.*.*.*)
[3592:root:1c23b]SSL state:error:(null)(*.*.*.*)
[3592:root:1c23b]SSL_accept failed, 1:unexpected eof while reading
[3592:root:1c23b]Destroy sconn 0x7f201b4e7000, connSize=1. (root)
[3593:root:1c23b]allocSSLConn:310 sconn 0x7f201b4e7800 (0:root)
[3593:root:1c23b]SSL state:before SSL initialization (*.*.*.*)
[3593:root:1c23b]SSL state:before SSL initialization (*.*.*.*)
[3593:root:1c23b]no SNI received
[3593:root:1c23b]client cert requirement: no
[3593:root:1c23b]SSL state:SSLv3/TLS read client hello (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write server hello (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write change cipher spec (*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 early data:(null)(*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23b]no SNI received
[3593:root:1c23b]client cert requirement: no
[3593:root:1c23b]SSL state:SSLv3/TLS read client hello (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write server hello (*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 write encrypted extensions (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write certificate (*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 write server certificate verify (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write finished (*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 early data:(null)(*.*.*.*)
[3593:root:1c23b]SSL state:TLSv1.3 early data (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS read finished (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write session ticket (*.*.*.*)
[3593:root:1c23b]SSL state:SSLv3/TLS write session ticket (*.*.*.*)
[3593:root:1c23b]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[3593:root:1c23b]req: /remote/info
[3593:root:1c23b]capability flags: 0x1cdf
[3593:root:1c23b]req: /remote/login
[3593:root:1c23b]rmt_web_auth_info_parser_common:525 no session id in auth info
[3593:root:1c23b]rmt_web_get_access_cache:874 invalid cache, ret=4103
[3593:root:1c23b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23b]get_cust_page:123 saml_info 0
[3593:root:1c23b]req: /remote/logincheck
[3593:root:1c23b]Transfer-Encoding n/a
[3593:root:1c23b]Content-Length 205
[3593:root:1c23b]readPostEnter:19 Post Data length 205.
[3593:root:1c23b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3593:root:1c23b]rmt_web_auth_info_parser_common:525 no session id in auth info
[3593:root:1c23b]rmt_web_access_check:793 access failed, uri=[/remote/logincheck],ret=4103,
[3593:root:1c23b]sslvpn_auth_check_usrgroup:3050 forming user/group list from policy.
[3593:root:1c23b]sslvpn_auth_check_usrgroup:3097 got user (2) group (3:0).
[3593:root:1c23b]sslvpn_validate_user_group_list:1940 validating with SSL VPN authentication rules (6), realm ().
[3593:root:1c23b]sslvpn_validate_user_group_list:2034 checking rule 1 cipher.
[3593:root:1c23b]sslvpn_validate_user_group_list:2042 checking rule 1 realm.
[3593:root:1c23b]sslvpn_validate_user_group_list:2053 checking rule 1 source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2092 checking rule 1 vd source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2591 rule 1 done, got user (1:0) group (0:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2034 checking rule 2 cipher.
[3593:root:1c23b]sslvpn_validate_user_group_list:2042 checking rule 2 realm.
[3593:root:1c23b]sslvpn_validate_user_group_list:2053 checking rule 2 source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2591 rule 2 done, got user (2:0) group (0:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2034 checking rule 3 cipher.
[3593:root:1c23b]sslvpn_validate_user_group_list:2042 checking rule 3 realm.
[3593:root:1c23b]sslvpn_validate_user_group_list:2053 checking rule 3 source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2591 rule 3 done, got user (2:0) group (0:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2034 checking rule 4 cipher.
[3593:root:1c23b]sslvpn_validate_user_group_list:2042 checking rule 4 realm.
[3593:root:1c23b]sslvpn_validate_user_group_list:2053 checking rule 4 source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2591 rule 4 done, got user (2:0) group (1:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2034 checking rule 5 cipher.
[3593:root:1c23b]sslvpn_validate_user_group_list:2042 checking rule 5 realm.
[3593:root:1c23b]sslvpn_validate_user_group_list:2053 checking rule 5 source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2591 rule 5 done, got user (2:0) group (2:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2034 checking rule 6 cipher.
[3593:root:1c23b]sslvpn_validate_user_group_list:2042 checking rule 6 realm.
[3593:root:1c23b]sslvpn_validate_user_group_list:2053 checking rule 6 source intf.
[3593:root:1c23b]sslvpn_validate_user_group_list:2591 rule 6 done, got user (2:0) group (3:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2599 got user (2:0) group (3:0) peer group (0).
[3593:root:1c23b]sslvpn_validate_user_group_list:2946 got user (2:0), group (3:0) peer group (0).
[3593:root:1c23b]sslvpn_update_user_group_list:1834 got user (2:0), group (3:0), peer group (0) after update.
[3593:root:1c23b]two factor check for teste2222: off
[3593:root:1c23b]sslvpn_authenticate_user:193 authenticate user: [teste2222]
[3593:root:1c23b]sslvpn_authenticate_user:211 create fam state
[3593:root:1c23b][fam_auth_send_req_internal:430] Groups sent to FNBAM:
[3593:root:1c23b]group_desc[0].grpname = SSLVPN_Acesso_IT
[3593:root:1c23b]group_desc[1].grpname = SSLVPN_AcessoExterno_OneSource
[3593:root:1c23b]group_desc[2].grpname = SSLVPN_AcessoExterno_Noshut
[3593:root:1c23b][fam_auth_send_req_internal:442] FNBAM opt = 0X200421
[3593:root:1c23b]fam_auth_send_req_internal:518 fnbam_auth return: 4
[3593:root:1c23b]fam_auth_send_req:1019 task finished with 4
[3593:root:1c23b]fam_auth_proc_resp:1371 fnbam_auth_update_result return: 1 (invalue username/password)
[3593:root:1c23b]login_failed:405 user[teste2222],auth_type=2 failed [sslvpn_login_permission_denied]
[3593:root:1c23b]Transfer-Encoding n/a
[3593:root:1c23b]Content-Length 205

Thanks.

jloureiro · ‎11-04-2024

So, problem is that I was missing to "create" the group name as a radius attribute of FAC.

View solution in original post

jloureiro · ‎11-04-2024

So, problem is that I was missing to "create" the group name as a radius attribute of FAC.

ForticlientVPN - Permission denied (-455)

Nominate a Forum Post for Knowledge Article Creation