I have a very basic setup
Remote LDAP server defined, perfectly accessible fine.
Local group (Firewall) with members being specified as AD security groups
System / Administrator defined as Remote User, Remote User Group the one above (LDAP)
But what actually seems to be used is RADIUS (I can see that in debug log) and not LDAP
I had to make changes to NPS RADIUS setup to be able to login
That is on v7.4.4 build2662 (Feature)
Anybody else noticed?
Seb
Hi @scerazy
Please follow the article for radius users to access the device as admin.
Regards,
I am NOT asking to use Radius! (it is using already)
I want to use LDAP, exactly as it is configured
Is it too difficult to understand the question?
Seb
How many 'Administrator' with type 'Remote User/+Wildcard' are currently configured in FGT and are they all configured to match a remote user group pointing only to LDAP?
2
And it is Remote User (no wildcard)
They are configured by group membership that uses LDAP (as I do chose the group by browsing AD), yet the user login actually is using Radius (I can match log on the server!)
So something is not right at all
You can have more information by enabling the fnbamd debug in FGT:
# diag debug application fnbamd -1
# diag debug console timestamp enable
# diag debug enable
I tested in 7.2.8 and is working as it should, ldap user is matching:
GW # 2024-08-21 15:01:26 [1909] handle_req-Rcvd auth req 99018270 for gimi in NetworkIT-ldap opt=00010001 prot=11
2024-08-21 15:01:26 [489] __compose_group_list_from_req-Group 'NetworkIT-ldap', type 1
2024-08-21 15:01:27 [616] fnbamd_pop3_start-gimi
2024-08-21 15:01:27 [378] radius_start-Didn't find radius servers (0)
2024-08-21 15:01:27 [764] auth_tac_plus_start-Didn't find tac_plus servers (0)
2024-08-21 15:01:27 [1009] __fnbamd_cfg_get_ldap_list_by_group-
2024-08-21 15:01:27 [1067] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'DC01-x' for usergroup 'NetworkIT-ldap' (8)
2024-08-21 15:01:27 [1117] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1
2024-08-21 15:01:27 [1718] fnbamd_ldap_init-search filter is: SAMAccountName=gimi
2024-08-21 15:01:27 [1728] fnbamd_ldap_init-search base is: ou=usr,dc=eb,dc=eu
Check also from CLI if there is any GUI issues not showing all the configured administrators:
GW # show system admin
If you can verify from the logs that the requests are wrongly sent to a RADIUS server, kindly open a TAC support ticket to investigate it further.
Created on 08-22-2024 02:16 AM Edited on 08-22-2024 02:17 AM
It is clearly using NPS RADIUS
2024-08-21 14:35:01 [1443] __ldap_tcps_open-oif=0, intf_sel.mode=0, intf_sel.name=
2024-08-21 14:35:01 [1458] __ldap_tcps_open-Still connecting 10.10.9.23.
2024-08-21 14:35:01 [1475] __ldap_tcps_open-Start ldap conn timer.
2024-08-21 14:35:01 [1551] __ldap_conn_start-Socket 12 is created for LDAP 'SP-V-DC01'.
2024-08-21 14:35:01 [662] __ldap_add_job_timer-
2024-08-21 14:35:01 [316] radius_start-eap_local=0
2024-08-21 14:35:01 [896] fnbamd_cfg_get_radius_list-
2024-08-21 14:35:01 [675] __fnbamd_cfg_get_radius_list_by_admin-
2024-08-21 14:35:01 [818] __rad_auth_ctx_insert_all_usergroup-
2024-08-21 14:35:01 [456] fnbamd_rad_get-vfid=0, name='NPS_131_128'
2024-08-21 14:35:01 [825] __rad_auth_ctx_insert_all_usergroup-Loaded RADIUS server 'NPS_131_128' (all_usergroup enabled)
2024-08-21 14:35:01 [918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
2024-08-21 14:35:01 [936] fnbamd_rad_get_auth_server-
2024-08-21 14:35:01 [295] fnbamd_radius_get_next_auth_prot-Next auth prot MS-CHAPv2
2024-08-21 14:35:01 [1025] __auth_ctx_svr_push-Added addr 10.10.9.131:1812 from rad 'NPS_131_128'
2024-08-21 14:35:01 [853] __fnbamd_rad_get_next_addr-Next available address of rad 'NPS_131_128': 10.10.9.131:1812.
2024-08-21 14:35:01 [1043] __auth_ctx_start-Connection starts NPS_131_128:10.10.9.131, addr 10.10.9.131:1812 proto: UDP
2024-08-21 14:35:01 [231] __rad_udp_open-Opened radius socket 13, sa_family 2
2024-08-21 14:35:01 [868] __rad_conn_start-Socket 13 is created for rad 'NPS_131_128'.
2024-08-21 14:35:01 [744] __rad_add_job_timer-
2024-08-21 14:35:01 [439] fnbamd_cfg_get_pop3_list-
2024-08-21 14:35:01 [417] __fnbamd_cfg_get_pop3_list_by_group-
2024-08-21 14:35:01 [422] __fnbamd_cfg_get_pop3_list_by_group-Group 'Local_FW_Management'
2024-08-21 14:35:01 [449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
2024-08-21 14:35:01 [481] fnbamd_cfg_get_ext_idp_list-
2024-08-21 14:35:01 [455] __fnbamd_cfg_get_ext_idp_list_by_group-
2024-08-21 14:35:01 [461] __fnbamd_cfg_get_ext_idp_list_by_group-Group 'Local_FW_Management'
2024-08-21 14:35:01 [491] fnbamd_cfg_get_ext_idp_list-Total external identity provider servers to try: 0
2024-08-21 14:35:01 [433] start_remote_auth-Total 4 server(s) to try
2024-08-21 14:35:01 [1881] handle_req-r=4
2024-08-21 14:35:01 [1378] __ldap_tcps_connect-Start ldap conn timer.
2024-08-21 14:35:01 [765] __rad_rxtx-fd 13, state 1(Auth)
2024-08-21 14:35:01 [767] __rad_rxtx-Stop rad conn timer.
2024-08-21 14:35:01 [774] __rad_rxtx-
2024-08-21 14:35:01 [606] fnbamd_rad_make_access_request-
2024-08-21 14:35:01 [328] __create_access_request-Compose RADIUS request
2024-08-21 14:35:01 [589] __create_access_request-Created RADIUS Access-Request. Len: 210.
2024-08-21 14:35:01 [1159] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 10.10.9.131:1812, source address is null, protocol number is 17, oif id is 0
2024-08-21 14:35:01 [304] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
2024-08-21 14:35:01 [796] __rad_rxtx-Sent radius req to server 'NPS_131_128': fd=13, IP=10.10.9.131(10.10.9.131:1812) code=1 id=139 len=210
2024-08-21 14:35:01 [805] __rad_rxtx-Start rad conn timer.
2024-08-21 14:35:01 [1378] __ldap_tcps_connect-Start ldap conn timer.
2024-08-21 14:35:01 [1378] __ldap_tcps_connect-Start ldap conn timer.
2024-08-21 14:35:01 [1666] __verify_cb-Cert error 2, unable to get issuer certificate. Depth 1. Subject '/DC=local/DC=****/DC=*********/CN=****-EntCA'
2024-08-21 14:35:01 [1345] __ldap_tcps_connect-tcps_connect(10.10.9.20) failed: ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate verify failed).
2024-08-21 14:35:01 [1642] __ldap_error-Ret 5, st = 0.
2024-08-21 14:35:01 [1679] __ldap_error-
2024-08-21 14:35:01 [1485] __ldap_tcps_close-closed.
2024-08-21 14:35:01 [1567] __ldap_conn_stop-Stop ldap conn timer.
2024-08-21 14:35:01 [2588] fnbamd_ldap_result-Continue pending for req 76837213458433
2024-08-21 14:35:01 [1666] __verify_cb-Cert error 2, unable to get issuer certificate. Depth 1. Subject '/DC=local/DC=****/DC=*********/CN=****-EntCA'
2024-08-21 14:35:01 [1345] __ldap_tcps_connect-tcps_connect(10.10.9.23) failed: ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate verify failed).
2024-08-21 14:35:01 [1642] __ldap_error-Ret 5, st = 0.
2024-08-21 14:35:01 [1679] __ldap_error-
2024-08-21 14:35:01 [1485] __ldap_tcps_close-closed.
2024-08-21 14:35:01 [1567] __ldap_conn_stop-Stop ldap conn timer.
2024-08-21 14:35:01 [2588] fnbamd_ldap_result-Continue pending for req 76837213458433
2024-08-21 14:35:01 [1378] __ldap_tcps_connect-Start ldap conn timer.
2024-08-21 14:35:01 [1666] __verify_cb-Cert error 2, unable to get issuer certificate. Depth 1. Subject '/DC=local/DC=****/DC=*********/CN=****-EntCA'
2024-08-21 14:35:01 [1345] __ldap_tcps_connect-tcps_connect(10.10.9.23) failed: ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate verify failed).
2024-08-21 14:35:01 [1642] __ldap_error-Ret 5, st = 0.
2024-08-21 14:35:01 [1679] __ldap_error-
2024-08-21 14:35:01 [1485] __ldap_tcps_close-closed.
2024-08-21 14:35:01 [1567] __ldap_conn_stop-Stop ldap conn timer.
2024-08-21 14:35:01 [2588] fnbamd_ldap_result-Continue pending for req 76837213458433
2024-08-21 14:35:02 [765] __rad_rxtx-fd 13, state 1(Auth)
2024-08-21 14:35:02 [767] __rad_rxtx-Stop rad conn timer.
2024-08-21 14:35:02 [808] __rad_rxtx-
2024-08-21 14:35:02 [382] __rad_udp_recv-Recved 278 bytes. Buf sz 8192
2024-08-21 14:35:02 [1144] __rad_chk_resp_authenticator-ret=0
2024-08-21 14:35:02 [1210] fnbamd_rad_validate_pkt-RADIUS resp code 2
2024-08-21 14:35:02 [835] __rad_rxtx-
2024-08-21 14:35:02 [1262] fnbamd_rad_process-Result from radius svr 'NPS_131_128' is 0, req 76837213458433
2024-08-21 14:35:02 [503] fnbamd_rad_get_vsas-FORTINET attr, type 1, val ftg-vpn
2024-08-21 14:35:02 [869] fnbamd_radius_parse_mschapv2_attr-Decoding TYPE_MS_MPPE_Recv_Key
2024-08-21 14:35:02 [792] __radius_decode_mppe_key-Key len after decode 16
2024-08-21 14:35:02 [880] fnbamd_radius_parse_mschapv2_attr-Decoding TYPE_MS_MPPE_Send_Key
2024-08-21 14:35:02 [792] __radius_decode_mppe_key-Key len after decode 16
2024-08-21 14:35:02 [1451] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 0
2024-08-21 14:35:02 [627] fnbam_user_auth_group_match-req id: 76837213458433, server: NPS_131_128, local auth: 0, dn match: 0
2024-08-21 14:35:02 [581] __group_match-Check if NPS_131_128 is a group member
2024-08-21 14:35:02 [587] __group_match-Group 'Local_FW_Management' passed group matching
2024-08-21 14:35:02 [590] __group_match-Add matched group 'Local_FW_Management'(2)
2024-08-21 14:35:02 [205] find_matched_usr_grps-Passed group matching
2024-08-21 14:35:02 [239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 76837213458433, len=2650
2024-08-21 14:35:02 [599] destroy_auth_session-delete session 76837213458433
2024-08-21 14:35:02 [1260] fnbamd_rads_destroy-
2024-08-21 14:35:02 [516] fnbamd_rad_auth_ctx_free-Freeing 'NPS_131_128' ctx
2024-08-21 14:35:02 [1132] fnbamd_rad_auth_ctx_uninit-
2024-08-21 14:35:02 [892] __rad_stop-
2024-08-21 14:35:02 [257] __rad_udp_close-closed.
2024-08-21 14:35:02 [887] __rad_conn_stop-Stop rad conn timer.
2024-08-21 14:35:02 [721] __rad_del_job_timer-
2024-08-21 14:35:02 [364] fnbamd_rad_free-Freeing NPS_131_128, ref:2
2024-08-21 14:35:02 [41] __rad_server_free-Freeing 10.10.9.131, ref:2
2024-08-21 14:35:02 [519] fnbamd_rad_auth_ctx_free-
2024-08-21 14:35:02 [1263] fnbamd_rads_destroy-
2024-08-21 14:35:02 [1830] fnbamd_ldaps_destroy-
2024-08-21 14:35:02 [442] fnbamd_ldap_auth_ctx_free-Freeing 'SP-P-DC03' ctx
2024-08-21 14:35:02 [1789] fnbamd_ldap_auth_ctx_uninit-
2024-08-21 14:35:02 [1572] __ldap_stop-
2024-08-21 14:35:02 [1567] __ldap_conn_stop-Stop ldap conn timer.
2024-08-21 14:35:02 [653] __ldap_del_job_timer-
2024-08-21 14:35:02 [1132] __ldap_auth_ctx_clear-
2024-08-21 14:35:02 [1120] __ldap_auth_ctx_reset-
2024-08-21 14:35:02 [249] fnbamd_ldap_free-Freeing SP-P-DC03, ref:2
2024-08-21 14:35:02 [29] __ldap_server_free-Freeing 10.10.9.20, ref:2
2024-08-21 14:35:02 [442] fnbamd_ldap_auth_ctx_free-Freeing 'SP-P-DC04' ctx
2024-08-21 14:35:02 [1789] fnbamd_ldap_auth_ctx_uninit-
2024-08-21 14:35:02 [1572] __ldap_stop-
2024-08-21 14:35:02 [1567] __ldap_conn_stop-Stop ldap conn timer.
2024-08-21 14:35:02 [653] __ldap_del_job_timer-
2024-08-21 14:35:02 [1132] __ldap_auth_ctx_clear-
2024-08-21 14:35:02 [1120] __ldap_auth_ctx_reset-
2024-08-21 14:35:02 [249] fnbamd_ldap_free-Freeing SP-P-DC04, ref:2
2024-08-21 14:35:02 [29] __ldap_server_free-Freeing 10.10.9.23, ref:2
2024-08-21 14:35:02 [442] fnbamd_ldap_auth_ctx_free-Freeing 'SP-V-DC01' ctx
2024-08-21 14:35:02 [1789] fnbamd_ldap_auth_ctx_uninit-
2024-08-21 14:35:02 [1572] __ldap_stop-
2024-08-21 14:35:02 [1567] __ldap_conn_stop-Stop ldap conn timer.
2024-08-21 14:35:02 [653] __ldap_del_job_timer-
2024-08-21 14:35:02 [1132] __ldap_auth_ctx_clear-
2024-08-21 14:35:02 [1120] __ldap_auth_ctx_reset-
2024-08-21 14:35:02 [249] fnbamd_ldap_free-Freeing SP-V-DC01, ref:2
2024-08-21 14:35:02 [29] __ldap_server_free-Freeing 10.10.9.23, ref:2
2024-08-21 14:35:02 [1019] fnbamd_tacs_destroy-
2024-08-21 14:35:02 [889] fnbamd_pop3s_destroy-
2024-08-21 14:35:02 [1068] fnbamd_ext_idps_destroy-
2024-08-21 14:35:02 [1933] handle_req-Rcvd auth_token req 76837213458434 for admin1 in
2024-08-21 14:35:02 [587] create_auth_token_session-Created auth token session 76837213458434
2024-08-21 14:35:02 [774] auth_token_push-
2024-08-21 14:35:02 [793] auth_token_push-Sent push msg, id: 76837213458434 user: admin1 admin: 1
The authentication to the RADIUS server will need more investigation, maybe a packet capture will show more information.
About the LDAP authentication not working, it seems like the LDAP is configured for LDAPS and the FGT doesn't trust the certificate of the servers .20/23:
2024-08-21 14:35:01 [1345] __ldap_tcps_connect-tcps_connect(10.10.9.20) failed: ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate verify failed).
In LDAP definition I have LDAPS with no certificate & connection is Success & Test is fine.
If I select a certificate (of imported local Enterprise CA that issues the certificates) I always get Can't contact LDAP server
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.