Problem with SSL VPN LDAP authorization at relam

krajewmar · ‎03-04-2023

Hello,

I have small problem with authorization in LDAP. In basic SSLVPN everything works fine, LDAP, FortiToken etc. But I need create spectial setting for one user (static IP address). I made second portal (mm-portal / full access) and second relam (/mm). User is added to separate group and to portal. I'm able to open dedicated portal, but unable to login

On FortiVPN I see only:

04.03.2023 17:20:22 error sslvpn date=2023-03-04 time=17:20:21 logver=1 id=96603 type=securityevent subtype=sslvpn eventtype=error level=error uid=4904307826234D2C9EC3C19FB49E5A92 devid=Fxxxxxxxxxxxxxx0 hostname=3xxxxxxxB pcdomain=mm.loc deviceip=192.168.195.1 devicemac=00-50-56-c0-00-08 site=N/A fctver=7.0.7.0345 fgtserial=Fxxxxxxxxxxxxxxxx0 emsserial=N/A os="Microsoft Windows 11 Professional Edition, 64-bit (build 22621)" user=mm@MM msg="SSLVPN tunnel connection failed" vpnstate= vpntunnel="MML VPN" vpnuser=mmlogin remotegw=ssl.mm.com.pl

On firewall also very few log

Action	ssl-login-fail
Reason	sslvpn_login_unknown_user

It's strange for me, because if I open main portal everthing works fine.

M

jhussain_FTNT · ‎03-04-2023

Hi,

I am not sure, you have configured the SSL VPN with realm properly.Kindly refer the below document to configure with SSL VPN realm.

https://docs.fortinet.com/document/fortigate/6.2.13/cookbook/724772/ssl-vpn-multi-realm

If you still getting the error with correctly configured, we need to capture the below debug logs to identify the issue.

diagnose vpn ssl debug-filter src-addr4 x.x.x.x --------> Public IP address of the particular end user who is trying to connect VPN
#diag debug application fnbamd -1
#diag debug application sslvpn -1
#diag debug enable

Regards

Jamal

View solution in original post

funkylicious · ‎03-04-2023

Have you created fw rules with the new group ?

"jack of all trades, master of none"