Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Daniel_Borgmann
New Contributor

SSL-VPN with Certificate and LDAP Group Search

Hi,

 

I have the following customer requirement:

 

Access with a browser and client certifacte to the fortigate SSL-VPN-Portal. Authorization is with the certificate but the group assignment should be done by asking the LDAP. With the CN of the certificate the LDAP is asked for the groups, the user belongs to.

I was able to configure the certificate based authentication but i didn't managed it to ask the ldap after the group the user belongs to. Additionally, if i add the user manually to more than one user group in the fortinet, only the first user group is assigned. The issue is that i need the user assigned to more than one group depending on his belonging in the ldap.

 

i tried to use the following configuration for the pki user:

 

config user peer     edit "borgmda"         set cn "borgmda"         set ldap-server "NSN_NEDI-W-SSL-2"         set ldap-mode principal-name     next

end

config user ldap     edit "NSN_NEDI-W-SSL-2"         set server "10.159.0.138"         set secondary-server "10.135.48.5"         set cnid "sAMAccountName"         set dn "ou=gms,ou=groups,dc=nsn-intra,dc=net"         set type regular         set username ****** (username that has right to access the ldap, test via gui is ok)

        set password ****

    next

end

config user group     edit "I_EXT_SSL_INTRA"         set member "NSN_NEDI-W-SSL-2" "NSN_NEDI-W-SSL-2_users" "borgmda"             config match                 edit 1                     set server-name "NSN_NEDI-W-SSL-2"                     set group-name "CN=I_EXT_NSN_SSL_NSNINTRA,OU=Security,OU=GMS,OU=Groups,DC=nsn-intra,DC=net"                 next                 edit 2                     set server-name "NSN_NEDI-W-SSL-2_users"                     set group-name "CN=I_EXT_NSN_SSL_NSNINTRA,OU=Security,OU=GMS,OU=Groups,DC=nsn-intra,DC=net"                 next             end     next end

 

debugging show the following:

 

2016-02-10 14:09:58 [29102:partners:53]SSL_accept returned 0.

2016-02-10 14:09:58 [29102:partners:53]Destroy sconn 0x2a9a05e400, connSize=0. (partners)

2016-02-10 14:10:01 [29103:partners:53]allocSSLConn:245 sconn 0x2a9a05e400 (1:partners)

2016-02-10 14:10:01 [29103:partners:53]SSL established: TLSv1.2 ECDHE-RSA-AES256-SHA384

2016-02-10 14:10:01 [29103:partners:53]rmt_authutil.c:418 no session id in auth info

2016-02-10 14:10:01 [29103:partners:53]rmt_authutil.c:701 invalid cache, ret=4103

2016-02-10 14:10:01 [29103:partners:53]doing authentication for 1 group(s).

2016-02-10 14:10:01 fnbamd_fsm.c[2143] handle_req-Rcvd auth_cert req id=1073869796

2016-02-10 14:10:01 fnbamd_auth.c[1309] check_cert-CA found: CA_Cert_14

2016-02-10 14:10:01 fnbamd_auth.c[1605] cert_check_group_list-checking group type 1 group name 'I_EXT_NSN_SSL_NSNINTRA'

2016-02-10 14:10:01 fnbamd_auth.c[1498] check_add_peer-check peer user 'borgmda' in group 'I_EXT_NSN_SSL_NSNINTRA', result is 4

2016-02-10 14:10:01 fnbamd_auth.c[1630] cert_check_group_list-Status pending for group 'I_EXT_NSN_SSL_NSNINTRA'

2016-02-10 14:10:01 fnbamd_ldap.c[998] resolve_ldap_FQDN-Resolved address 10.159.0.138, result 10.159.0.138

2016-02-10 14:10:01 fnbamd_ldap.c[998] resolve_ldap_FQDN-Resolved address 10.135.48.5, result 10.135.48.5

2016-02-10 14:10:01 fnbamd_ldap.c[443] start_search_dn-base:'ou=gms,ou=groups,dc=nsn-intra,dc=net' filter:userPrincipalName=

2016-02-10 14:10:01 fnbamd_ldap.c[1736] fnbamd_ldap_get_result-Going to SEARCH state

2016-02-10 14:10:01 fnbamd_fsm.c[1503] auth_cert_ldap_result-Continue pending for req 1073869796

2016-02-10 14:10:01 fnbamd_ldap.c[486] get_all_dn-Found no DN

2016-02-10 14:10:01 fnbamd_ldap.c[2031] fnbamd_ldap_get_result-Auth denied

2016-02-10 14:10:01 fnbamd_auth.c[1886] fnbamd_auth_cert_poll-Result for ldap svr[0] '10.159.0.138' is DENY

2016-02-10 14:10:01 fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 1 for req 1073869796

 

I am wondering if there is anything wrong with the ldap search. from the documentation they assume wrong credentials. And what i think is missing is the filter:userPrincipalName=????? where's my user 'borgmda'? this is the user after i would like to search in the ldap to get the belonging groups.

 

any ideas?

 

bye

Daniel

 

0 REPLIES 0
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors