We are having an issue with the fortitoken sent by email. For example we have the user Jhon that its an user from the LDAP server, he has permissions based on group from the LDAP that those groups are linked to the User Group wich is in the firewall policy
Okey so when the user doesn't have any group in the field "User Group" the fortitoken dont work. If i add any group it does, how can i fix this?
Our idea its that we dont use the groups from the fortigate for the permissions just add them in the LDAP user
More context from CLI
I'm not sure the cause of this specific error but I would highly recommend a FortiAuthenticator here instead of local FortiTokens and LDAP.
Yes that would be ideal, but my company doesn't want to pay it. So we are working with what we have
Hello @Terrainfra ,
It's an interesting problem. If you use this user on a firewall policy without a group, 2fa doesn't work, right?
Is it just 2FA not working or is the user unable to authenticate?
Can you run these commands while trying to connect to SSL-VPN without a user group and send us the output?
diagnose debug reset
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug enable
Hello! Thank you for taking the time to help me.
1) Okey i tried deleting all groups from the LDAP user and its unable to authenticate with de vpn BUT if i add the user to a firewall policy its does authenticate and ask for the 2fa!! Also it gives me another range of ip and i don't have access to anything
2) The user can authenticate and the vpn connects with out any problem when the 2fa its not asked
The log you reques its very extense and dont let me upload it
FW-COMPANYS # [322:root:438e]allocSSLConn:307 sconn 0x7f0911d58f00 (0:root)
[322:root:438e]SSL state:before SSL initialization (MyIPaddres)
[322:root:438e]SSL state:before SSL initialization:DH lib(MyIPaddres)
[322:root:438e]SSL_accept failed, 5:(null)
[322:root:438e]Destroy sconn 0x7f0911d58f00, connSize=0. (root)
[323:root:4392]allocSSLConn:307 sconn 0x7f0911d5a400 (0:root)
[323:root:4392]SSL state:before SSL initialization (MyIPaddres)
[323:root:4392]SSL state:before SSL initialization (MyIPaddres)
[323:root:4392]got SNI server name: Vpn-FQDN realm (null)
[323:root:4392]client cert requirement: no
[323:root:4392]SSL state:SSLv3/TLS read client hello (MyIPaddres)
[323:root:4392]SSL state:SSLv3/TLS write server hello (MyIPaddres)
[323:root:4392]SSL state:SSLv3/TLS write change cipher spec (MyIPaddres)
[323:root:4392]SSL state:TLSv1.3 early data (MyIPaddres)
[323:root:4392]SSL state:TLSv1.3 early data:system lib(MyIPaddres)
[323:root:4392]SSL state:TLSv1.3 early data (MyIPaddres)
[323:root:4392]got SNI server name: Vpn-FQDN realm (null)
[323:root:4392]client cert requirement: no
[323:root:4392]req: /remote/info
[323:root:4392]capability flags: 0x4df
[323:root:4392]req: /remote/login
[323:root:4392]rmt_web_auth_info_parser_common:492 no session id in auth info
[323:root:4392]rmt_web_get_access_cache:841 invalid cache, ret=4103
[323:root:4392]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[323:root:4392]get_cust_page:128 saml_info 0
[323:root:4392]req: /remote/logincheck
[323:root:4392]rmt_web_auth_info_parser_common:492 no session id in auth info
[323:root:4392]rmt_web_access_check:760 access failed, uri=[/remote/logincheck],ret=4103,
[323:root:4392]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[323:root:4392]rmt_logincheck_cb_handler:1283 user '_USER_' has a matched local entry.
[323:root:4392]sslvpn_auth_check_usrgroup:2978 forming user/group list from policy.
[323:root:4392]sslvpn_auth_check_usrgroup:3024 got user (0) group (13:0).
[323:root:4392]sslvpn_validate_user_group_list:1890 validating with SSL VPN authentication rules (9), realm ().
[323:root:4392]sslvpn_validate_user_group_list:1975 checking rule 1 cipher.
[323:root:4392]sslvpn_validate_user_group_list:1983 checking rule 1 realm.
[323:root:4392]sslvpn_validate_user_group_list:1994 checking rule 1 source intf.
[323:root:4392]sslvpn_validate_user_group_list:2033 checking rule 1 vd source intf.
[323:root:4392]sslvpn_update_user_group_list:1793 got user (0:0), group (13:0), peer group (0) after update.
[323:root:4392]two factor check for _USER_: off
[323:root:4392]sslvpn_authenticate_user:183 authenticate user: [_USER_]
[323:root:4392]sslvpn_authenticate_user:197 create fam state
[323:root:4392][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[323:root:4392]group_desc[12].grpname = VPN _ADMIN
[323:root:4392][fam_auth_send_req_internal:438] FNBAM opt = 0X200420
[323:root:4392]fam_auth_send_req_internal:514 fnbam_auth return: 4
[1916] handle_req-Rcvd auth req 1487224574 for _USER_ in opt=00200420 prot=11
[475] __compose_group_list_from_req-Group 'VPN _ADMIN', type 1
[616] fnbamd_pop3_start-_USER_
[378] radius_start-Didn't find radius servers (0)
[754] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1034] __fnbamd_cfg_get_ldap_list_by_group-
[1100] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'DomainController03' for usergroup 'Acceso_Camaras' (29)
[1836] fnbamd_ldap_auth_ctx_push-'DomainController03' is already in the ldap list.
[1100] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'DomainController03' for usergroup 'VPN _ADMIN' (2)
[1836] fnbamd_ldap_auth_ctx_push-'DomainController04' is already in the ldap list.
[1100] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'DomainController04' for usergroup 'VPN _ADMIN' (2)
[1150] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 3
[1717] fnbamd_ldap_init-search filter is: samaccountname=_USER_
[1727] fnbamd_ldap_init-search base is: dc=COMPANY,dc=lan
[1149] __fnbamd_ldap_dns_cb-Resolved DomainController04:DC_IPaddres to DC_IPaddres, cur stack size:1
[924] __fnbamd_ldap_get_next_addr-
[1154] __fnbamd_ldap_dns_cb-Connection starts DomainController04:DC_IPaddres, addr DC_IPaddres over SSL
[879] __fnbamd_ldap_start_conn-Still connecting DC_IPaddres.
[1717] fnbamd_ldap_init-search filter is: samaccountname=_USER_
[1727] fnbamd_ldap_init-search base is: dc=COMPANY,dc=lan
[1149] __fnbamd_ldap_dns_cb-Resolved DomainController03:DC_IPaddres to DC_IPaddres, cur stack size:1
[924] __fnbamd_ldap_get_next_addr-
[1154] __fnbamd_ldap_dns_cb-Connection starts DomainController03:DC_IPaddres, addr DC_IPaddres over SSL
[879] __fnbamd_ldap_start_conn-Still connecting DC_IPaddres.
[1717] fnbamd_ldap_init-search filter is: samaccountname=_USER_
[1727] fnbamd_ldap_init-search base is: dc=COMPANY,dc=lan
[1149] __fnbamd_ldap_dns_cb-Resolved DomainController01:10.0.2.100 to 10.0.2.100, cur stack size:1
[924] __fnbamd_ldap_get_next_addr-
[1154] __fnbamd_ldap_dns_cb-Connection starts DomainController01:10.0.2.100, addr 10.0.2.100 over SSL
[879] __fnbamd_ldap_start_conn-Still connecting 10.0.2.100.
[642] create_auth_session-Total 3 server(s) to try
[1107] __ldap_connect-tcps_connect(DC_IPaddres) is established.
[985] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'COMPANY\fortigate_user'
[1083] fnbamd_ldap_send-sending 52 bytes to DC_IPaddres
[1096] fnbamd_ldap_send-Request is sent. ID 1
[1107] __ldap_connect-tcps_connect(DC_IPaddres) is established.
[985] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'COMPANY\fortigate_user'
[1083] fnbamd_ldap_send-sending 52 bytes to DC_IPaddres
[1096] fnbamd_ldap_send-Request is sent. ID 1
[985] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: DC_IPaddres
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1023] fnbamd_ldap_parse_response-ret=0
[1052] __ldap_rxtx-Change state to 'DN search'
[985] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'dc=COMPANY,dc=lan' filter:samaccountname=_USER_
[1083] fnbamd_ldap_send-sending 84 bytes to DC_IPaddres
[1096] fnbamd_ldap_send-Request is sent. ID 2
[985] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
Hello @Terrainfra ,
"Also it gives me another range of ip and i don't have access to anything"
For that problem, you need to do user group/portal mapping on ssl-vpn settings. If you didn't do that, FortiGate can authenticate users with default portal mapping and this situation causes the assign a wrong IP address.
Do you have a local user with the same name?
Hello! Thank you for taking the time to help me.
1) Okey i tried deleting all groups from the LDAP user and its unable to authenticate with de vpn BUT if i add the user to a firewall policy its does authenticate and ask for the 2fa!!
2) The user can authenticate and the vpn connects with out any problem when the 2fa its not asked
The log you reques its very extense and dont let me upload it, heres a line that i find odd
323:root:4392]sslvpn_validate_user_group_list:2033 checking rule 1 vd source intf.
[323:root:4392]sslvpn_update_user_group_list:1793 got user (0:0), group (13:0), peer group (0) after update.
[323:root:4392]two factor check for _USER_: off
[323:root:4392]sslvpn_authenticate_user:183 authenticate user: [_USER_]
[323:root:4392]sslvpn_authenticate_user:197 create fam state
[323:root:4392][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[323:root:4392]group_desc[12].grpname = VPN _ADMIN
Hello @Terrainfra ,
Do you have a local user with the same name?
Hello @ozkanaltas, sorry that the replies duplicate.
No, i dont have a local user with the same name. Only the remote ldap user
> [323:root:4392]two factor check for _USER_: off
The meaning of this line is whether a client-certificate is required. It does not comment on token 2FA.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.