Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adeluna2005
New Contributor

Created on ‎02-01-2018 12:38 PM

VPN SSL Error:Access Denied.

I configured FG100E to get access using SSL and LDAP. Everything seems Ok. I can reach the LDAP Server, I can see organizational units and even create users (LDAP and RADIUS also) but when I tried to get access from the web portal it shows "Error:Permission Denied". The Portal works properly with local users which are created in the FG. But not for those who are created with the LDAP Process. Someone who knows what is missed?

 

By the way I am using Windows 2016 Std and FGE100 v. 5.4

 

Thanks!

24980
0 Kudos
4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-01-2018 10:10 PM

Do you have a proper policy from ssl.root to internal destination interface that has a user group specified? That user group needs to have the LDAP server as a member. If you sniff packets with "any" interface specifying the LDAP server IP as host, you wouldn't see any auth request packets coming out of FG100E when you hit with SSL VPN attempt if the policy is not configured properly.

5405
0 Kudos
adeluna2005
New Contributor
In response to Toshi_Esumi

Created on ‎02-02-2018 08:27 AM

Yes I have the Policy from ssl.root to our internal interface and also I added the group with the Ldap users. In the same Group I included local users and those are working properly.  So that means that the Policy is working Properly ...and also the SSL configuration. 

5405
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to adeluna2005

Created on ‎02-02-2018 08:44 AM

Have you sniffed the auth request came out toward the server when you attempt a connection?

If you think everything is correctly configured, next action I would take is open a TT at TAC.

5405
0 Kudos
adeluna2005
New Contributor
In response to Toshi_Esumi

Created on ‎02-02-2018 11:04 AM

It was solved already! For some reason at the LDAP configuration if we left the Top value of the domain, The FG will just take the "users container" but not the users which are located at the other OUs. So in the field I put the OU where my users are located and it worked! 

 

e.g. Distinguished Name DC=Contoso,Dc=Local was replaced by OU=Unit1,DC=Contoso,Dc=Local and all OUs under "Unit1" which contains users will be validated using the DISPLAY NAME at the SSL Web Page (Display Name due we used cn at "Common Name Identifier" Field!

 

Thanks! 

5415
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.