Hi, im Mark im new here (new with posts) but im working with Fortigate for a long time since 2012
Im haveing an issues on FG and im trying to resolve them by my self. But now i have one that is a pain.
I have FG600E platform on 6.2.3
Im using 2FA on ssl vpn and i have an issue.
Ive created a group (radius) and user (belong to the group)
When user has turned off 2FA - he can login on WebPortal
When user has turned on 2FA - he's revicing "Permision denied"
2FA is using email to send token
this is a result of test autentication with 2FA ON
on CLI:
diag test authserver radius um03-mschap_v2 mschap2 marektest passwordtest
[2307] handle_req-Rcvd auth req 1978307305 for marektest in um03-mschap_v2 opt=0000001d prot=4 [409] __compose_group_list_from_req-Group 'um03-mschap_v2' [615] fnbamd_pop3_start-marektest [550] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'um03-mschap_v2' [305] fnbamd_create_radius_socket-Opened radius socket 15 [305] fnbamd_create_radius_socket-Opened radius socket 16 [1342] fnbamd_radius_auth_send-Compose RADIUS request [1309] fnbamd_rad_dns_cb-172.16.40.13->172.16.40.13 [1284] __fnbamd_rad_send-Sent radius req to server 'um03-mschap_v2': fd=15, IP=172.16.40.13(172.16.40.13:1812) code=1 id=169 len=175 user="marektest" using MS-CHAPv2 [282] radius_server_auth-Timer of rad 'um03-mschap_v2' is added [568] create_auth_session-Total 1 server(s) to try [2433] fnbamd_auth_handle_radius_result-Timer of rad 'um03-mschap_v2' is deleted [1736] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2 [309] extract_success_vsas-FORTINET attr, type 1, val UM [2459] fnbamd_auth_handle_radius_result-->Result for radius svr 'um03-mschap_v2' 172.16.40.13(1) is 0 [2389] fnbamd_radius_group_match-Skipping group matching [1002] find_matched_usr_grps-Skipped group matching [2887] fnbamd_fas_send_push-username:marektest, vdom:UM_DMZ, usertype:0, tfc=0, auth_type:2
IT WORKS
and on WEB:
2020-12-21 09:48:01 [310:UM_DMZ:1eb1]rmt_web_auth_info_parser_common:470 no session id in auth info 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]rmt_web_access_check:723 access failed, uri=[/remote/logincheck],ret=4103, 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]rmt_logincheck_cb_handler:1189 user 'marektest' has a matched local entry. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_auth_check_usrgroup:2145 got user (15) group (18:0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (10), realm (). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 3 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 3 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 3 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1748 checking rule 3 vd source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 3 done, got user (6:0) group (2:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 4 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 4 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 4 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 4 done, got user (6:0) group (3:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 6 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 6 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 6 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 6 done, got user (11:0) group (11:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 10 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 10 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 10 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 10 done, got user (11:0) group (12:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 7 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 7 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 7 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 7 done, got user (11:0) group (13:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 8 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 8 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 8 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 8 done, got user (14:0) group (14:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 9 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 9 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 9 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 9 done, got user (14:0) group (16:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 11 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 11 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 11 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 11 done, got user (14:0) group (17:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 12 cipher. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1698 checking rule 12 realm. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1709 checking rule 12 source intf. 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1845 rule 12 done, got user (14:0) group (18:0) peer group (0). 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_validate_user_group_list:1690 checking rule 13 cipher.
2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_authenticate_user:191 authenticate user: [marektest] 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]sslvpn_authenticate_user:198 create fam state 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]fam_auth_send_req:583 with server blacklist: 2020-12-21 09:48:01 [310:UM_DMZ:1eb1]2020-12-21 09:48:01 [2307] handle_req-Rcvd auth req 1978300653 for marektest in UM-RDP opt=00000500 prot=11 2020-12-21 09:48:01 [409] __compose_group_list_from_req-Group 'UM-RDP' 2020-12-21 09:48:01 [615] fnbamd_pop3_start-marektest 2020-12-21 09:48:01 [618] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'um03-mschap_v2' for usergroup 'UM-RDP' (26) 2020-12-21 09:48:01 [305] fnbamd_create_radius_socket-Opened radius socket 15 2020-12-21 09:48:01 [305] fnbamd_create_radius_socket-Opened radius socket 16 2020-12-21 09:48:01 [1342] fnbamd_radius_auth_send-Compose RADIUS request 2020-12-21 09:48:01 [1309] fnbamd_rad_dns_cb-172.16.40.13->172.16.40.13 2020-12-21 09:48:01 [1284] __fnbamd_rad_send-Sent radius req to server 'um03-mschap_v2': fd=15, IP=172.16.40.13(172.16.40.13:1812) code=1 id=134 len=192 user="marektest" using MS-CHAPv2 2020-12-21 09:48:01 [282] radius_server_auth-Timer of rad 'um03-mschap_v2' is added 2020-12-21 09:48:01 [719] auth_tac_plus_start-Didn't find tac_plus servers (0) 2020-12-21 09:48:01 [440] ldap_start-Didn't find ldap servers (0) 2020-12-21 09:48:01 [568] create_auth_session-Total 1 server(s) to try 2020-12-21 09:48:01 [2433] fnbamd_auth_handle_radius_result-Timer of rad 'um03-mschap_v2' is deleted 2020-12-21 09:48:01 [1736] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2 2020-12-21 09:48:01 [309] extract_success_vsas-FORTINET attr, type 1, val UM <-group to which user belong 2020-12-21 09:48:01 [2459] fnbamd_auth_handle_radius_result-->Result for radius svr 'um03-mschap_v2' 172.16.40.13(1) is 0 <- result should by recived with granted access but then 2020-12-21 09:48:01 [2389] fnbamd_radius_group_match-Skipping group matching 2020-12-21 09:48:01 [1002] find_matched_usr_grps-Skipped group matching 2020-12-21 09:48:01 [2887] fnbamd_fas_send_push-username:marektest, vdom:UM_DMZ, usertype:0, tfc=0, auth_type:2
PERMISSION DENIED i used those tips
https://kb.fortinet.com/kb/documentLink.do?externalID=FD46949
https://kb.fortinet.com/kb/documentLink.do?externalID=FD48718 https://www.reddit.com/r/fortinet/comments/ecvd3k/twofactor_ssl_vpn_invalid_http_request/
and still nothing
Can you pleas help ?
Reg.
Mark
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I have found that when token for user is working that messagge appears [618] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'um03-mschap_v2' for usergroup 'UM-RDP' (26) when token isnt working (on other group) that message appears [342] radius_start-Didn't find radius servers (0)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1528 | |
1020 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.