Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Marek
New Contributor

Fortigate SSL VPN 2FA using an email - Error

Hi,  im Mark im new here (new with posts) but im working with Fortigate for a long time since 2012

Im haveing an issues on FG and im trying to resolve them by my self. But now i have one that is a pain.

 

I have FG600E platform on 6.2.3

 

Im using 2FA on ssl vpn and i have an issue.

Ive created a group (radius) and user (belong to the group) 

When user has turned off 2FA - he can login on WebPortal

When user has turned on 2FA - he's revicing "Permision denied"

 

2FA is using email to send token

 

this is a result of test autentication with 2FA ON 

on CLI:

diag test authserver radius um03-mschap_v2 mschap2 marektest passwordtest

[2307] handle_req-Rcvd auth req 1978307305 for marektest in um03-mschap_v2 opt=0000001d prot=4 [409] __compose_group_list_from_req-Group 'um03-mschap_v2' [615] fnbamd_pop3_start-marektest [550] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'um03-mschap_v2' [305] fnbamd_create_radius_socket-Opened radius socket 15 [305] fnbamd_create_radius_socket-Opened radius socket 16 [1342] fnbamd_radius_auth_send-Compose RADIUS request [1309] fnbamd_rad_dns_cb-172.16.40.13->172.16.40.13 [1284] __fnbamd_rad_send-Sent radius req to server 'um03-mschap_v2': fd=15, IP=172.16.40.13(172.16.40.13:1812) code=1 id=169 len=175 user="marektest" using MS-CHAPv2 [282] radius_server_auth-Timer of rad 'um03-mschap_v2' is added [568] create_auth_session-Total 1 server(s) to try [2433] fnbamd_auth_handle_radius_result-Timer of rad 'um03-mschap_v2' is deleted [1736] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2 [309] extract_success_vsas-FORTINET attr, type 1, val UM [2459] fnbamd_auth_handle_radius_result-->Result for radius svr 'um03-mschap_v2' 172.16.40.13(1) is 0 [2389] fnbamd_radius_group_match-Skipping group matching [1002] find_matched_usr_grps-Skipped group matching [2887] fnbamd_fas_send_push-username:marektest, vdom:UM_DMZ, usertype:0, tfc=0, auth_type:2

 

 

IT WORKS

 

 

 

and on WEB:

2020-12-21 09:48:01 [310:UM_DMZ:1eb1]rmt_web_auth_info_parser_common:470 no session id in auth info 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]rmt_web_access_check:723 access failed, uri=[/remote/logincheck],ret=4103, 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]rmt_logincheck_cb_handler:1189 user 'marektest' has a matched local entry. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_auth_check_usrgroup:2145 got user (15) group (18:0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (10), realm (). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 3 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 3 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 3 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1748 checking rule 3 vd source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 3 done, got user (6:0) group (2:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 4 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 4 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 4 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 4 done, got user (6:0) group (3:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 6 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 6 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 6 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 6 done, got user (11:0) group (11:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 10 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 10 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 10 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 10 done, got user (11:0) group (12:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 7 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 7 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 7 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 7 done, got user (11:0) group (13:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 8 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 8 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 8 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 8 done, got user (14:0) group (14:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 9 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 9 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 9 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 9 done, got user (14:0) group (16:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 11 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 11 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 11 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 11 done, got user (14:0) group (17:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 12 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 12 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 12 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 12 done, got user (14:0) group (18:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 13 cipher.

 

 

2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_authenticate_user:191 authenticate user: [marektest] 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_authenticate_user:198 create fam state 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]fam_auth_send_req:583 with server blacklist: 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]2020-12-21 09:48:01 [2307] handle_req-Rcvd auth req 1978300653 for marektest in UM-RDP opt=00000500 prot=11 2020-12-21 09:48:01 [409] __compose_group_list_from_req-Group 'UM-RDP' 2020-12-21 09:48:01 [615] fnbamd_pop3_start-marektest 2020-12-21 09:48:01 [618] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'um03-mschap_v2' for usergroup 'UM-RDP' (26) 2020-12-21 09:48:01 [305] fnbamd_create_radius_socket-Opened radius socket 15 2020-12-21 09:48:01 [305] fnbamd_create_radius_socket-Opened radius socket 16 2020-12-21 09:48:01 [1342] fnbamd_radius_auth_send-Compose RADIUS request 2020-12-21 09:48:01 [1309] fnbamd_rad_dns_cb-172.16.40.13->172.16.40.13 2020-12-21 09:48:01 [1284] __fnbamd_rad_send-Sent radius req to server 'um03-mschap_v2': fd=15, IP=172.16.40.13(172.16.40.13:1812) code=1 id=134 len=192 user="marektest" using MS-CHAPv2 2020-12-21 09:48:01 [282] radius_server_auth-Timer of rad 'um03-mschap_v2' is added 2020-12-21 09:48:01 [719] auth_tac_plus_start-Didn't find tac_plus servers (0) 2020-12-21 09:48:01 [440] ldap_start-Didn't find ldap servers (0) 2020-12-21 09:48:01 [568] create_auth_session-Total 1 server(s) to try 2020-12-21 09:48:01 [2433] fnbamd_auth_handle_radius_result-Timer of rad 'um03-mschap_v2' is deleted 2020-12-21 09:48:01 [1736] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2 2020-12-21 09:48:01 [309] extract_success_vsas-FORTINET attr, type 1, val UM <-group to which user belong 2020-12-21 09:48:01 [2459] fnbamd_auth_handle_radius_result-->Result for radius svr 'um03-mschap_v2' 172.16.40.13(1) is 0 <- result should by recived with granted access but then 2020-12-21 09:48:01 [2389] fnbamd_radius_group_match-Skipping group matching 2020-12-21 09:48:01 [1002] find_matched_usr_grps-Skipped group matching 2020-12-21 09:48:01 [2887] fnbamd_fas_send_push-username:marektest, vdom:UM_DMZ, usertype:0, tfc=0, auth_type:2

PERMISSION DENIED i used those tips

https://kb.fortinet.com/kb/documentLink.do?externalID=FD46949

https://kb.fortinet.com/kb/documentLink.do?externalID=FD48718 https://www.reddit.com/r/fortinet/comments/ecvd3k/twofactor_ssl_vpn_invalid_http_request/

and still nothing

 

Can you pleas help ?

 

Reg.

Mark 

 

1 REPLY 1
Marek
New Contributor

I have found that  when token for user is working that messagge appears [618] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'um03-mschap_v2' for usergroup 'UM-RDP' (26) when token isnt working (on other group) that message appears [342] radius_start-Didn't find radius servers (0)

 

Labels
Top Kudoed Authors