Hello,
I am configuring the SSL VPN on a FortiGate 100D running firmware 6.0.5. I have setup RADIUS auth because we are using Duo MFA. When I use the "Test User Credentials" option it's successful. Although, when I try to connect to the VPN, it fails. The logs on the FortiGate say "ssl-login-fail Reason: sslvpn_login_unknown_user".
Up until recently, users were using local accounts on the firewall to connect to the VPN. I'm suspecting the FortiGate thinks my user is a local user and isn't finding it. The VPN setup has my new group using RADIUS listed and mapped to a portal, so I'm not sure what I'm doing wrong. Any suggestions?
Solved! Go to Solution.
If you still have doubt the FGT is not sending an auth request to Duo side, you can sniff packet for UDP 1812 with Duo's server IP. If you do it with outgoin interface with option 6, you can convert the capture to a PCAP file that Wireshark can open. Then you can see what the FGT sent and what Duo replied back.
I don't think so. As long as you removed the local user from the SSLVPN user group, the FGT wouldn't look for it in local users.
The GUI's user credential test at least with that old version doesn't check actual credential but just check reachability. To test a user credential, you have to use CLI:
diag test authserver radius <server_name> [pap|chap|...] "<user_name>" "<password>"
Toshi
Interesting, because I had that thought and tried testing with an intentionally wrong password and it failed. The test account I'm using only exists in AD. No local account on the fortigate with the same name. I'm leaning towards this being a bug at this point. Will be upgrading the firmware to rule that out at least.
If you still have doubt the FGT is not sending an auth request to Duo side, you can sniff packet for UDP 1812 with Duo's server IP. If you do it with outgoin interface with option 6, you can convert the capture to a PCAP file that Wireshark can open. Then you can see what the FGT sent and what Duo replied back.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.