- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
User unable to connect to VPN - unknow user
Hello All,
I have a strange issue , i have a Fortigate 500D , with LDAP server configured .
I have a user X who can't the VPN. once he tries to connect it gives the error - Permission denied.
All other users from the same container in the AD are able to connect. only this user.
I tried to reset the password , unlocked the account . nothing.
Any suggestions?
Joe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi try to troubleshoot the sslvpn connection by debugging it to see what happens
and test whether the authentication works, by using the following examples
[ul]test ldap auth met ldap server
diag test authserver ldap "KA.companyname.local" "user1" "password123"[ul]
diagnose debug application sslvpn -1[ul]
dia deb app fnbamd 255
dia deb console
dia deb en
Hopefully this makes things clear to you
Kind regards,
Ralph Willemsen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ralph
This is what i got:
fnbamd_ldap.c[485] get_all_dn-Found 1 DN's fnbamd_ldap.c[519] start_next_dn_bind-Trying DN 1:CN=משען ×ירית,OU=מח' מיחשוב ומערכות מידע,OU=×‘× ×™×™×Ÿ העירייה.× ×•×“×ו 17,OU=משתמשי×,DC=bat-yam,DC=local fnbamd_ldap.c[1778] fnbamd_ldap_get_result-Going to USERBIND state fnbamd_fsm.c[2473] auth_ldap_result-Continue pending for req 1903 fnbamd_ldap.c[503] start_next_dn_bind-No more DN left fnbamd_ldap.c[2025] fnbamd_ldap_get_result-Auth denied fnbamd_auth.c[2351] fnbamd_auth_poll_ldap-Result for ldap svr 10.21.21.210 is denied fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 1 for req 1903 fnbamd_fsm.c[565] destroy_auth_session-delete session 1903 [94:root:3788]fam_auth_send_req:514 with server blacklist: #bat-yam_DC [94:root:3788]fnbamd_fsm.c[1879] handle_req-Rcvd auth req 1904 for irit in BAT_VPN_Users opt=00000100 prot=10 fnbamd_fsm.c[336] __compose_group_list_from_req-Group 'BAT_VPN_Users' fnbamd_pop3.c[573] fnbamd_pop3_start-irit fnbamd_auth.c[303] radius_start-Didn't find radius servers (0) fnbamd_auth.c[688] auth_tac_plus_start-Didn't find tac_plus servers (0) fnbamd_auth.c[409] ldap_start-Didn't find ldap servers (0) fnbamd_fsm.c[417] create_auth_session-Error starting authentication fnbamd_fsm.c[1898] handle_req-Error creating session fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 3 for req 1904 [94:root:3788]fam_auth_send_req:514 with server blacklist: #bat-yam_DC [94:root:3788]fam_auth_send_req:602 task finished with 5 [94:root:3788]rmt_logincheck.c:250 user[irit],auth_type=1 failed [sslvpn_login_unknown_user] [94:root:0]rmt_websession.c:77 status=1;host=81.218.192.40;fails=1;logintime=1430826817 [94:root:3788]rmt_authutil.c:418 no session id in auth info [94:root:3788]rmt_authutil.c:700 invalid cache, ret=4103 [94:root:3788]Timeout for connection 0x2a98cc6c00.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, well it looks like your fortigate doesn't have access to the DC (ldap connection).
Please also check whether there might be local users configured with same username?
Regards,
Ralph
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ralph1973 wrote:Hi, well it looks like your fortigate doesn't have access to the DC (ldap connection).
Please also check whether there might be local users configured with same username?
Regards,
Ralph
Hey,
I just tested and the connection is successful .. also there is no local user with such name.
Its weird.
Joe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem solved. it was an issue with the user itself in the AD .
Joe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there
I had a similar issue and I found out that the user(s) need to be in a valid OU in Active Directory for it to work, they can't be in the Users folder. In Win2012 Essentials, users created via the Dashboard are by default created in the Users folder, strangely enough. They need to move to an OU before the Fotigate LDAP authentication can work.
Cheers
Jaap
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Joe,
I am running into a similar issue. Can you please update here how you fixed the issue?
Thanks
Anne
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Joe,
Not really an answer to your question but just out of interest, what type of VPN are you using for your remote users with LDAP integration?
I'm currently setting up an L2TP/IPsec VPN connection with LDAP user authentication but we little to no success so looking for another solution.
Cheers
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[163:root:32]login_failed:260 user[test104],auth_type=1 failed [sslvpn_login_unknown_user]
can anyone here explain this ?
The issue is happening with VPN connectivity with LDAP user.
