Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Terrainfra
New Contributor II

Fortitoken doesn't work if the user has no group

We are having an issue with the fortitoken sent by email. For example we have the user Jhon that its an user from the LDAP server, he has permissions based on group from the LDAP that those groups are linked to the User Group wich is in the firewall policy

 

Okey so when the user doesn't have any group in the field "User Group" the fortitoken dont work. If i add any group it does, how can i fix this?

Our idea its that we dont use the groups from the fortigate for the permissions just add them in the LDAP user

 

 

forti.png

 

More context from CLI

 

 Captura de pantalla 2024-05-21 120528.png

10 REPLIES 10
adambomb1219
SuperUser
SuperUser

I'm not sure the cause of this specific error but I would highly recommend a FortiAuthenticator here instead of local FortiTokens and LDAP.

Terrainfra

Yes that would be ideal, but my company doesn't want to pay it. So we are working with what we have

ozkanaltas
Valued Contributor III

Hello @Terrainfra ,

 

It's an interesting problem. If you use this user on a firewall policy without a group, 2fa doesn't work, right?

 

Is it just 2FA not working or is the user unable to authenticate? 

 

Can you run these commands while trying to connect to SSL-VPN without a user group and send us the output?

 

diagnose debug reset
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug enable

  

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Terrainfra

Hello! Thank you for taking the time to help me.

 

1) Okey i tried deleting all groups from the LDAP user and its unable to authenticate with de vpn BUT if i add the user to a firewall policy its does authenticate and ask for the 2fa!! Also it gives me another range of ip and i don't have access to anything

 

2) The user can authenticate and the vpn connects with out any problem when the 2fa its not asked

 

The log you reques its very extense and dont let me upload it 

 

FW-COMPANYS # [322:root:438e]allocSSLConn:307 sconn 0x7f0911d58f00 (0:root)
[322:root:438e]SSL state:before SSL initialization (MyIPaddres)
[322:root:438e]SSL state:before SSL initialization:DH lib(MyIPaddres)
[322:root:438e]SSL_accept failed, 5:(null)
[322:root:438e]Destroy sconn 0x7f0911d58f00, connSize=0. (root)
[323:root:4392]allocSSLConn:307 sconn 0x7f0911d5a400 (0:root)
[323:root:4392]SSL state:before SSL initialization (MyIPaddres)
[323:root:4392]SSL state:before SSL initialization (MyIPaddres)
[323:root:4392]got SNI server name: Vpn-FQDN realm (null)
[323:root:4392]client cert requirement: no
[323:root:4392]SSL state:SSLv3/TLS read client hello (MyIPaddres)
[323:root:4392]SSL state:SSLv3/TLS write server hello (MyIPaddres)
[323:root:4392]SSL state:SSLv3/TLS write change cipher spec (MyIPaddres)
[323:root:4392]SSL state:TLSv1.3 early data (MyIPaddres)
[323:root:4392]SSL state:TLSv1.3 early data:system lib(MyIPaddres)
[323:root:4392]SSL state:TLSv1.3 early data (MyIPaddres)
[323:root:4392]got SNI server name: Vpn-FQDN realm (null)
[323:root:4392]client cert requirement: no
[323:root:4392]req: /remote/info
[323:root:4392]capability flags: 0x4df
[323:root:4392]req: /remote/login
[323:root:4392]rmt_web_auth_info_parser_common:492 no session id in auth info
[323:root:4392]rmt_web_get_access_cache:841 invalid cache, ret=4103
[323:root:4392]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[323:root:4392]get_cust_page:128 saml_info 0
[323:root:4392]req: /remote/logincheck
[323:root:4392]rmt_web_auth_info_parser_common:492 no session id in auth info
[323:root:4392]rmt_web_access_check:760 access failed, uri=[/remote/logincheck],ret=4103,
[323:root:4392]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[323:root:4392]rmt_logincheck_cb_handler:1283 user '_USER_' has a matched local entry.
[323:root:4392]sslvpn_auth_check_usrgroup:2978 forming user/group list from policy.
[323:root:4392]sslvpn_auth_check_usrgroup:3024 got user (0) group (13:0).
[323:root:4392]sslvpn_validate_user_group_list:1890 validating with SSL VPN authentication rules (9), realm ().
[323:root:4392]sslvpn_validate_user_group_list:1975 checking rule 1 cipher.
[323:root:4392]sslvpn_validate_user_group_list:1983 checking rule 1 realm.
[323:root:4392]sslvpn_validate_user_group_list:1994 checking rule 1 source intf.
[323:root:4392]sslvpn_validate_user_group_list:2033 checking rule 1 vd source intf.
[323:root:4392]sslvpn_update_user_group_list:1793 got user (0:0), group (13:0), peer group (0) after update.
[323:root:4392]two factor check for _USER_: off
[323:root:4392]sslvpn_authenticate_user:183 authenticate user: [_USER_]
[323:root:4392]sslvpn_authenticate_user:197 create fam state
[323:root:4392][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[323:root:4392]group_desc[12].grpname = VPN _ADMIN 
[323:root:4392][fam_auth_send_req_internal:438] FNBAM opt = 0X200420
[323:root:4392]fam_auth_send_req_internal:514 fnbam_auth return: 4
[1916] handle_req-Rcvd auth req 1487224574 for _USER_ in  opt=00200420 prot=11
[475] __compose_group_list_from_req-Group 'VPN _ADMIN', type 1
[616] fnbamd_pop3_start-_USER_
[378] radius_start-Didn't find radius servers (0)
[754] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1034] __fnbamd_cfg_get_ldap_list_by_group-
[1100] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'DomainController03' for usergroup 'Acceso_Camaras' (29)
[1836] fnbamd_ldap_auth_ctx_push-'DomainController03' is already in the ldap list.
[1100] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'DomainController03' for usergroup 'VPN _ADMIN' (2)
[1836] fnbamd_ldap_auth_ctx_push-'DomainController04' is already in the ldap list.
[1100] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'DomainController04' for usergroup 'VPN _ADMIN' (2)
[1150] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 3
[1717] fnbamd_ldap_init-search filter is: samaccountname=_USER_
[1727] fnbamd_ldap_init-search base is: dc=COMPANY,dc=lan
[1149] __fnbamd_ldap_dns_cb-Resolved DomainController04:DC_IPaddres to DC_IPaddres, cur stack size:1
[924] __fnbamd_ldap_get_next_addr-
[1154] __fnbamd_ldap_dns_cb-Connection starts DomainController04:DC_IPaddres, addr DC_IPaddres over SSL
[879] __fnbamd_ldap_start_conn-Still connecting DC_IPaddres.
[1717] fnbamd_ldap_init-search filter is: samaccountname=_USER_
[1727] fnbamd_ldap_init-search base is: dc=COMPANY,dc=lan
[1149] __fnbamd_ldap_dns_cb-Resolved DomainController03:DC_IPaddres to DC_IPaddres, cur stack size:1
[924] __fnbamd_ldap_get_next_addr-
[1154] __fnbamd_ldap_dns_cb-Connection starts DomainController03:DC_IPaddres, addr DC_IPaddres over SSL
[879] __fnbamd_ldap_start_conn-Still connecting DC_IPaddres.
[1717] fnbamd_ldap_init-search filter is: samaccountname=_USER_
[1727] fnbamd_ldap_init-search base is: dc=COMPANY,dc=lan
[1149] __fnbamd_ldap_dns_cb-Resolved DomainController01:10.0.2.100 to 10.0.2.100, cur stack size:1
[924] __fnbamd_ldap_get_next_addr-
[1154] __fnbamd_ldap_dns_cb-Connection starts DomainController01:10.0.2.100, addr 10.0.2.100 over SSL
[879] __fnbamd_ldap_start_conn-Still connecting 10.0.2.100.
[642] create_auth_session-Total 3 server(s) to try
[1107] __ldap_connect-tcps_connect(DC_IPaddres) is established.
[985] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'COMPANY\fortigate_user'
[1083] fnbamd_ldap_send-sending 52 bytes to DC_IPaddres
[1096] fnbamd_ldap_send-Request is sent. ID 1
[1107] __ldap_connect-tcps_connect(DC_IPaddres) is established.
[985] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'COMPANY\fortigate_user'
[1083] fnbamd_ldap_send-sending 52 bytes to DC_IPaddres
[1096] fnbamd_ldap_send-Request is sent. ID 1
[985] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: DC_IPaddres
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1023] fnbamd_ldap_parse_response-ret=0
[1052] __ldap_rxtx-Change state to 'DN search'
[985] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'dc=COMPANY,dc=lan' filter:samaccountname=_USER_
[1083] fnbamd_ldap_send-sending 84 bytes to DC_IPaddres
[1096] fnbamd_ldap_send-Request is sent. ID 2
[985] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8

 

ozkanaltas
Valued Contributor III

Hello @Terrainfra ,

 

"Also it gives me another range of ip and i don't have access to anything"

 

For that problem, you need to do user group/portal mapping on ssl-vpn settings. If you didn't do that, FortiGate can authenticate users with default portal mapping and this situation causes the assign a wrong IP address.

 

Do you have a local user with the same name? 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Terrainfra

Hello! Thank you for taking the time to help me.

 

1) Okey i tried deleting all groups from the LDAP user and its unable to authenticate with de vpn BUT if i add the user to a firewall policy its does authenticate and ask for the 2fa!! 

 

2) The user can authenticate and the vpn connects with out any problem when the 2fa its not asked

 

The log you reques its very extense and dont let me upload it, heres a line that i find odd 

323:root:4392]sslvpn_validate_user_group_list:2033 checking rule 1 vd source intf.
[323:root:4392]sslvpn_update_user_group_list:1793 got user (0:0), group (13:0), peer group (0) after update.
[323:root:4392]two factor check for _USER_: off
[323:root:4392]sslvpn_authenticate_user:183 authenticate user: [_USER_]
[323:root:4392]sslvpn_authenticate_user:197 create fam state
[323:root:4392][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[323:root:4392]group_desc[12].grpname = VPN _ADMIN

 

ozkanaltas
Valued Contributor III

Hello @Terrainfra ,

 

Do you have a local user with the same name? 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Terrainfra

Hello @ozkanaltas, sorry that the replies duplicate.

 

No, i dont have a local user with the same name. Only the remote ldap user 

pminarik

> [323:root:4392]two factor check for _USER_: off

 

The meaning of this line is whether a client-certificate is required. It does not comment on token 2FA.

[ corrections always welcome ]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors