We have a number of FGT devices running on 7.0.14 and all part of FortiManager, with the basic configurations being pretty much the same. One of those configurations is to setup AD users as admins based on LDAP. This process works great for all but 1 of our devices that's out in the field.
I tested my "useradmin" account via the LDAP configuration page and got a return of successful. I am in our fw_admins group, which is assigned in the Administrators list for the FGT. However, when I try to login via the GUI with that same username and password, it tells me that my user cannot be found. I can test it all day via the LDAP settings or via CLI, and it consistently tells me that it's successful in hitting the LDAP server and authenticating me. It's just trying to login as an admin where it fails.
I can log into any of the other 90 devices we have with that same username/password to admin them with zero issues, it's just the one. We are connected to that site via MPLS and/or VPN (if the MPLS is down). Any thoughts on what could be the issue?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Found the issue, apparently I didn't stare and compare well enough. It was in the administrators section, the failing one had "Match a user on a remote server group" selected instead of "Match all users in a remote server group"
Swapped that and it's working.
Hey, jsaur
It seems like the LDAP test is successful, indicating a connection between Fortinet and your LDAP server. However, if you're unable to log in to the GUI using LDAP credentials, there might be an issue with the LDAP authentication settings or user mapping in Fortinet.
Here are some steps you can take:
1 - Checked using "stare and compare" with another device, also removed and re-established the correct group on the device.
2 - Users are mapped properly, they work on any of the other FGT devices we have (FMG configuration).
3 - LDAP server doesn't show any errors.
4 - Other FGT devices are working just fine.
I went through all of those, and as mentioned, it's a FortiManager configured device that has almost a carbon copy configuration of our other devices, where this issue does not occur. That's what has me confused. I can login to any of the remaining 90+ devices with the exact same setup without issue, it's just this one that fails the GUI login, but tests just fine.
Some notable logs:
From the device that fails: logincheck_handler[529] -- login_attempt (method=5, vdom='root', name='useradmin',admin_name='useradmin', auth_svr='')
From the device that is successful: logincheck_handler[529] -- login_attempt (method=5, vdom='root', name='userradmin',admin_name='fwadmin', auth_svr='servername.com')
On the device that is not working, it seems like it's having an issue assigning admin name='fwadmin' which is the name of the group in the Administrators page of the GUI config.
Found the issue, apparently I didn't stare and compare well enough. It was in the administrators section, the failing one had "Match a user on a remote server group" selected instead of "Match all users in a remote server group"
Swapped that and it's working.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.