- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortitoken doesn't work if the user has no group
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortitoken doesn't work if the user has no group
We are having an issue with the fortitoken sent by email. For example we have the user Jhon that its an user from the LDAP server, he has permissions based on group from the LDAP that those groups are linked to the User Group wich is in the firewall policy
Okey so when the user doesn't have any group in the field "User Group" the fortitoken dont work. If i add any group it does, how can i fix this?
Our idea its that we dont use the groups from the fortigate for the permissions just add them in the LDAP user
More context from CLI
Labels:
- Labels:
-
FortiGate
-
FortiToken
-
LDAP
-
SSL-VPN
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure the cause of this specific error but I would highly recommend a FortiAuthenticator here instead of local FortiTokens and LDAP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that would be ideal, but my company doesn't want to pay it. So we are working with what we have
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Terrainfra ,
It's an interesting problem. If you use this user on a firewall policy without a group, 2fa doesn't work, right?
Is it just 2FA not working or is the user unable to authenticate?
Can you run these commands while trying to connect to SSL-VPN without a user group and send us the output?
diagnose debug reset
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug enable
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! Thank you for taking the time to help me.
1) Okey i tried deleting all groups from the LDAP user and its unable to authenticate with de vpn BUT if i add the user to a firewall policy its does authenticate and ask for the 2fa!! Also it gives me another range of ip and i don't have access to anything
2) The user can authenticate and the vpn connects with out any problem when the 2fa its not asked
The log you reques its very extense and dont let me upload it
FW-COMPANYS # [322:root:438e]allocSSLConn:307 sconn 0x7f0911d58f00 (0:root)
[322:root:438e]SSL state:before SSL initialization (MyIPaddres)
[322:root:438e]SSL state:before SSL initialization:DH lib(MyIPaddres)
[322:root:438e]SSL_accept failed, 5:(null)
[322:root:438e]Destroy sconn 0x7f0911d58f00, connSize=0. (root)
[323:root:4392]allocSSLConn:307 sconn 0x7f0911d5a400 (0:root)
[323:root:4392]SSL state:before SSL initialization (MyIPaddres)
[323:root:4392]SSL state:before SSL initialization (MyIPaddres)
[323:root:4392]got SNI server name: Vpn-FQDN realm (null)
[323:root:4392]client cert requirement: no
[323:root:4392]SSL state:SSLv3/TLS read client hello (MyIPaddres)
[323:root:4392]SSL state:SSLv3/TLS write server hello (MyIPaddres)
[323:root:4392]SSL state:SSLv3/TLS write change cipher spec (MyIPaddres)
[323:root:4392]SSL state:TLSv1.3 early data (MyIPaddres)
[323:root:4392]SSL state:TLSv1.3 early data:system lib(MyIPaddres)
[323:root:4392]SSL state:TLSv1.3 early data (MyIPaddres)
[323:root:4392]got SNI server name: Vpn-FQDN realm (null)
[323:root:4392]client cert requirement: no
[323:root:4392]req: /remote/info
[323:root:4392]capability flags: 0x4df
[323:root:4392]req: /remote/login
[323:root:4392]rmt_web_auth_info_parser_common:492 no session id in auth info
[323:root:4392]rmt_web_get_access_cache:841 invalid cache, ret=4103
[323:root:4392]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[323:root:4392]get_cust_page:128 saml_info 0
[323:root:4392]req: /remote/logincheck
[323:root:4392]rmt_web_auth_info_parser_common:492 no session id in auth info
[323:root:4392]rmt_web_access_check:760 access failed, uri=[/remote/logincheck],ret=4103,
[323:root:4392]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[323:root:4392]rmt_logincheck_cb_handler:1283 user '_USER_' has a matched local entry.
[323:root:4392]sslvpn_auth_check_usrgroup:2978 forming user/group list from policy.
[323:root:4392]sslvpn_auth_check_usrgroup:3024 got user (0) group (13:0).
[323:root:4392]sslvpn_validate_user_group_list:1890 validating with SSL VPN authentication rules (9), realm ().
[323:root:4392]sslvpn_validate_user_group_list:1975 checking rule 1 cipher.
[323:root:4392]sslvpn_validate_user_group_list:1983 checking rule 1 realm.
[323:root:4392]sslvpn_validate_user_group_list:1994 checking rule 1 source intf.
[323:root:4392]sslvpn_validate_user_group_list:2033 checking rule 1 vd source intf.
[323:root:4392]sslvpn_update_user_group_list:1793 got user (0:0), group (13:0), peer group (0) after update.
[323:root:4392]two factor check for _USER_: off
[323:root:4392]sslvpn_authenticate_user:183 authenticate user: [_USER_]
[323:root:4392]sslvpn_authenticate_user:197 create fam state
[323:root:4392][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[323:root:4392]group_desc[12].grpname = VPN _ADMIN
[323:root:4392][fam_auth_send_req_internal:438] FNBAM opt = 0X200420
[323:root:4392]fam_auth_send_req_internal:514 fnbam_auth return: 4
[1916] handle_req-Rcvd auth req 1487224574 for _USER_ in opt=00200420 prot=11
[475] __compose_group_list_from_req-Group 'VPN _ADMIN', type 1
[616] fnbamd_pop3_start-_USER_
[378] radius_start-Didn't find radius servers (0)
[754] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1034] __fnbamd_cfg_get_ldap_list_by_group-
[1100] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'DomainController03' for usergroup 'Acceso_Camaras' (29)
[1836] fnbamd_ldap_auth_ctx_push-'DomainController03' is already in the ldap list.
[1100] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'DomainController03' for usergroup 'VPN _ADMIN' (2)
[1836] fnbamd_ldap_auth_ctx_push-'DomainController04' is already in the ldap list.
[1100] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'DomainController04' for usergroup 'VPN _ADMIN' (2)
[1150] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 3
[1717] fnbamd_ldap_init-search filter is: samaccountname=_USER_
[1727] fnbamd_ldap_init-search base is: dc=COMPANY,dc=lan
[1149] __fnbamd_ldap_dns_cb-Resolved DomainController04:DC_IPaddres to DC_IPaddres, cur stack size:1
[924] __fnbamd_ldap_get_next_addr-
[1154] __fnbamd_ldap_dns_cb-Connection starts DomainController04:DC_IPaddres, addr DC_IPaddres over SSL
[879] __fnbamd_ldap_start_conn-Still connecting DC_IPaddres.
[1717] fnbamd_ldap_init-search filter is: samaccountname=_USER_
[1727] fnbamd_ldap_init-search base is: dc=COMPANY,dc=lan
[1149] __fnbamd_ldap_dns_cb-Resolved DomainController03:DC_IPaddres to DC_IPaddres, cur stack size:1
[924] __fnbamd_ldap_get_next_addr-
[1154] __fnbamd_ldap_dns_cb-Connection starts DomainController03:DC_IPaddres, addr DC_IPaddres over SSL
[879] __fnbamd_ldap_start_conn-Still connecting DC_IPaddres.
[1717] fnbamd_ldap_init-search filter is: samaccountname=_USER_
[1727] fnbamd_ldap_init-search base is: dc=COMPANY,dc=lan
[1149] __fnbamd_ldap_dns_cb-Resolved DomainController01:10.0.2.100 to 10.0.2.100, cur stack size:1
[924] __fnbamd_ldap_get_next_addr-
[1154] __fnbamd_ldap_dns_cb-Connection starts DomainController01:10.0.2.100, addr 10.0.2.100 over SSL
[879] __fnbamd_ldap_start_conn-Still connecting 10.0.2.100.
[642] create_auth_session-Total 3 server(s) to try
[1107] __ldap_connect-tcps_connect(DC_IPaddres) is established.
[985] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'COMPANY\fortigate_user'
[1083] fnbamd_ldap_send-sending 52 bytes to DC_IPaddres
[1096] fnbamd_ldap_send-Request is sent. ID 1
[1107] __ldap_connect-tcps_connect(DC_IPaddres) is established.
[985] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'COMPANY\fortigate_user'
[1083] fnbamd_ldap_send-sending 52 bytes to DC_IPaddres
[1096] fnbamd_ldap_send-Request is sent. ID 1
[985] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: DC_IPaddres
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1023] fnbamd_ldap_parse_response-ret=0
[1052] __ldap_rxtx-Change state to 'DN search'
[985] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'dc=COMPANY,dc=lan' filter:samaccountname=_USER_
[1083] fnbamd_ldap_send-sending 84 bytes to DC_IPaddres
[1096] fnbamd_ldap_send-Request is sent. ID 2
[985] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Terrainfra ,
"Also it gives me another range of ip and i don't have access to anything"
For that problem, you need to do user group/portal mapping on ssl-vpn settings. If you didn't do that, FortiGate can authenticate users with default portal mapping and this situation causes the assign a wrong IP address.
Do you have a local user with the same name?
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! Thank you for taking the time to help me.
1) Okey i tried deleting all groups from the LDAP user and its unable to authenticate with de vpn BUT if i add the user to a firewall policy its does authenticate and ask for the 2fa!!
2) The user can authenticate and the vpn connects with out any problem when the 2fa its not asked
The log you reques its very extense and dont let me upload it, heres a line that i find odd
323:root:4392]sslvpn_validate_user_group_list:2033 checking rule 1 vd source intf.
[323:root:4392]sslvpn_update_user_group_list:1793 got user (0:0), group (13:0), peer group (0) after update.
[323:root:4392]two factor check for _USER_: off
[323:root:4392]sslvpn_authenticate_user:183 authenticate user: [_USER_]
[323:root:4392]sslvpn_authenticate_user:197 create fam state
[323:root:4392][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[323:root:4392]group_desc[12].grpname = VPN _ADMIN
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Terrainfra ,
Do you have a local user with the same name?
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @ozkanaltas, sorry that the replies duplicate.
No, i dont have a local user with the same name. Only the remote ldap user
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> [323:root:4392]two factor check for _USER_: off
The meaning of this line is whether a client-certificate is required. It does not comment on token 2FA.
[ corrections always welcome ]
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- What da heck is going on... 214 Views
- FSSO doesnt work with Fortigate eval... 298 Views
- API v2 Adding user to a... 460 Views
- Lost Token - what can we... 683 Views
Labels
-
FortiGate
7,108 -
FortiClient
1,401 -
5.2
801 -
5.4
639 -
FortiManager
615 -
FortiAnalyzer
450 -
6.0
416 -
FortiAP
373 -
FortiSwitch
368 -
5.6
362 -
FortiClient EMS
288 -
FortiMail
276 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
125 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
100 -
FortiGateCloud
95 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
47 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
38 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiExtender
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
VDOM
17 -
Routing
15 -
FortiMonitor
14 -
Authentication
14 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
Logging
14 -
FortiDDoS
13 -
RADIUS
12 -
FortiCASB
12 -
NAT
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
OSPF
6 -
IPS signature
5 -
Packet capture
5 -
Automation
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDirector
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
FortiTester
4 -
3.6
4 -
FortiScan
4 -
Web rating
4 -
FortiDeceptor
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Fortinet Engage Partner Program
3 -
Traffic shaping profile
3 -
FortiDB
3 -
DLP sensor
3 -
DoS policy
3 -
Email filter profile
3 -
Fabric connector
2 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
DLP Dictionary
2 -
VoIP profile
2 -
DLP profile
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Internet Service Database
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1057 | |
| 874 | |
| 521 | |
| 441 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.