config system admin x x x edit "AD_ADMINS" set remote-auth enable set trusthost1 0.0.0.0 0.0.0.0 set trusthost2 0.0.0.0 0.0.0.0 set trusthost3 0.0.0.0 0.0.0.0 set trusthost4 0.0.0.0 0.0.0.0 set trusthost5 0.0.0.0 0.0.0.0 set trusthost6 0.0.0.0 0.0.0.0 set trusthost7 0.0.0.0 0.0.0.0 set trusthost8 0.0.0.0 0.0.0.0 set trusthost9 0.0.0.0 0.0.0.0 set trusthost10 0.0.0.0 0.0.0.0 set ip6-trusthost1 ::/0 set ip6-trusthost2 ::/0 set ip6-trusthost3 ::/0 set ip6-trusthost4 ::/0 set ip6-trusthost5 ::/0 set ip6-trusthost6 ::/0 set ip6-trusthost7 ::/0 set ip6-trusthost8 ::/0 set ip6-trusthost9 ::/0 set ip6-trusthost10 ::/0 set accprofile "super_admin" set comments '' set vdom "root" set schedule '' set two-factor disable set email-to '' set sms-server fortiguard set sms-phone '' set guest-auth disable set wildcard enable set remote-group "FG_Admins" set allow-remove-admin-session enable set accprofile-override disable set radius-vdom-override disable next end #################################################################################################################### config user ldap edit "some_dc_server1" set server "192.168.x.x" set secondary-server '' set tertiary-server '' set source-ip 0.0.0.0 set cnid "sAMAccountName" set dn "DC=something,DC=something,DC=something" set type regular set username "some\\user" set password ENC xxxxxxxxxxx set group-member-check user-attr set group-search-base '' set group-filter '' set secure disable set port 389 set password-expiry-warning enable set password-renewal enable set member-attr "msNPAllowDialin" set account-key-processing same set account-key-filter "(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))" next edit "some_dc_server2" set server "192.168.x.x" set secondary-server '' set tertiary-server '' set source-ip 0.0.0.0 set cnid "sAMAccountName" set dn "DC=something,DC=something,DC=something" set type regular set username "some\\user" set password ENC xxxxxxxxxxxxxxx set group-member-check user-attr set group-search-base '' set group-filter '' set secure disable set port 389 set password-expiry-warning enable set password-renewal enable set member-attr "msNPAllowDialin" set account-key-processing same set account-key-filter "(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))" next end ########################################################################################################################## config user group edit "SSO_Guest_Users" set authtimeout 0 set http-digest-realm '' next edit "L2TP_users" set group-type firewall set authtimeout 0 set auth-concurrent-override disable set http-digest-realm '' set member "some_vpn_user" "some_NPS_server" next edit "FG_Admins" set group-type firewall set authtimeout 0 set auth-concurrent-override disable set http-digest-realm '' set member "some_ddc_server1" "some_dc_server2" config match edit 1 set server-name "some_dc_server1" set group-name "CN=admin_group,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something" next edit 2 set server-name "some_dc_server2" set group-name "CN=admin_group,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something" next end next end ######################################################################################################################### [358] __compose_group_list_from_req-Group 'FG_Admins' [608] fnbamd_pop3_start-admin_test [304] fnbamd_create_radius_socket-Opened radius socket 14 [304] fnbamd_create_radius_socket-Opened radius socket 15 [1338] fnbamd_radius_auth_send-Compose RADIUS request [1305] fnbamd_rad_dns_cb-192.168.x.x->192.168.x.x [1280] __fnbamd_rad_send-Sent radius req to server 'some-NPS-server': fd=14, IP=192.168.x.x(192.168.x.x:1812) code=1 id=75 len=99 user="admin_test" using PAP [281] radius_server_auth-Timer of rad 'some-NPS-server' is added [717] auth_tac_plus_start-Didn't find tac_plus servers (0) [1549] fnbamd_ldap_init-search filter is: sAMAccountName=admin_test [1558] fnbamd_ldap_init-search base is: DC=something,DC=something,DC=something [973] __fnbamd_ldap_dns_cb-Resolved some-DC-server1(idx 0) to 192.168.x.x [1021] __fnbamd_ldap_dns_cb-Still connecting. [1549] fnbamd_ldap_init-search filter is: sAMAccountName=admin_test [1558] fnbamd_ldap_init-search base is: DC=something,DC=something,DC=something [973] __fnbamd_ldap_dns_cb-Resolved some-DC-server2(idx 0) to 192.168.x.x [1021] __fnbamd_ldap_dns_cb-Still connecting. [517] create_auth_session-Total 3 server(s) to try [939] __ldap_connect-tcps_connect(192.168.x.x) is established. [814] __ldap_rxtx-state 3(Admin Binding) [204] __ldap_build_bind_req-Binding to 'some\user' [860] fnbamd_ldap_send-sending 36 bytes to 192.168.x.x [872] fnbamd_ldap_send-Request is sent. ID 1 [939] __ldap_connect-tcps_connect(192.168.x.x) is established. [814] __ldap_rxtx-state 3(Admin Binding) [204] __ldap_build_bind_req-Binding to 'some\user' [860] fnbamd_ldap_send-sending 36 bytes to 192.168.x.x [872] fnbamd_ldap_send-Request is sent. ID 1 [814] __ldap_rxtx-state 4(Admin Bind resp) [1064] fnbamd_ldap_recv-Response len: 16, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind [799] fnbamd_ldap_parse_response-ret=0 [881] __ldap_rxtx-Change state to 'DN search' [814] __ldap_rxtx-state 11(DN search) [592] fnbamd_ldap_build_dn_search_req-base:'DC=something,DC=something,DC=something' filter:sAMAccountName=admin_test [860] fnbamd_ldap_send-sending 88 bytes to 192.168.x.x [872] fnbamd_ldap_send-Request is sent. ID 2 [814] __ldap_rxtx-state 4(Admin Bind resp) [1064] fnbamd_ldap_recv-Response len: 16, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind [799] fnbamd_ldap_parse_response-ret=0 [881] __ldap_rxtx-Change state to 'DN search' [814] __ldap_rxtx-state 12(DN search resp) [1064] fnbamd_ldap_recv-Response len: 94, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry [799] fnbamd_ldap_parse_response-ret=0 [1095] __fnbamd_ldap_dn_entry-Get DN 'CN=admin test,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something' [90] ldap_dn_list_add-added CN=admin test,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something [1064] fnbamd_ldap_recv-Response len: 97, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference [799] fnbamd_ldap_parse_response-ret=0 [1064] fnbamd_ldap_recv-Response len: 16, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result [799] fnbamd_ldap_parse_response-ret=0 [881] __ldap_rxtx-Change state to 'User Binding' [814] __ldap_rxtx-state 11(DN search) [592] fnbamd_ldap_build_dn_search_req-base:'DC=something,DC=something,DC=something' filter:sAMAccountName=admin_test [860] fnbamd_ldap_send-sending 88 bytes to 192.168.x.x [872] fnbamd_ldap_send-Request is sent. ID 2 [814] __ldap_rxtx-state 5(User Binding) [437] fnbamd_ldap_build_userbind_req-Trying DN 'CN=admin test,OU=Ssomething,OU=something,OU=something,DC=something,DC=something,DC=something' [204] __ldap_build_bind_req-Binding to 'CN=admin test,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something' [860] fnbamd_ldap_send-sending 132 bytes to 192.168.x.x [872] fnbamd_ldap_send-Request is sent. ID 3 [2497] fnbamd_auth_handle_radius_result-Timer of rad 'some-NPS-server' is deleted [1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3 [2523] fnbamd_auth_handle_radius_result-->Result for radius svr 'some-NPS-server' 192.168.x.x(1) is 1 [1338] fnbamd_radius_auth_send-Compose RADIUS request [1280] __fnbamd_rad_send-Sent radius req to server 'some-NPS-server': fd=14, IP=192.168.x.x(192.168.x.x:1812) code=1 id=76 len=163 user="admin_test" using MS-CHAPv2 [281] radius_server_auth-Timer of rad 'some-NPS-server' is added [2811] handle_auth_rsp-Continue pending for req 1642169972 [814] __ldap_rxtx-state 12(DN search resp) [1064] fnbamd_ldap_recv-Response len: 94, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry [799] fnbamd_ldap_parse_response-ret=0 [1095] __fnbamd_ldap_dn_entry-Get DN 'CN=admin test,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something' [90] ldap_dn_list_add-added CN=admin test,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something [1064] fnbamd_ldap_recv-Response len: 97, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference [799] fnbamd_ldap_parse_response-ret=0 [1064] fnbamd_ldap_recv-Response len: 16, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result [799] fnbamd_ldap_parse_response-ret=0 [881] __ldap_rxtx-Change state to 'User Binding' [814] __ldap_rxtx-state 5(User Binding) [437] fnbamd_ldap_build_userbind_req-Trying DN 'CN=admin test,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something' [204] __ldap_build_bind_req-Binding to 'CN=admin test,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something' [860] fnbamd_ldap_send-sending 132 bytes to 192.168.x.x [872] fnbamd_ldap_send-Request is sent. ID 3 [814] __ldap_rxtx-state 6(User Bind resp) [1064] fnbamd_ldap_recv-Response len: 16, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind [799] fnbamd_ldap_parse_response-ret=0 [881] __ldap_rxtx-Change state to 'Attr query' [814] __ldap_rxtx-state 7(Attr query) [490] fnbamd_ldap_build_attr_search_req-Adding attr 'msNPAllowDialin' [502] fnbamd_ldap_build_attr_search_req-base:'CN=admin test,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something' filter:cn=* [860] fnbamd_ldap_send-sending 134 bytes to 192.168.x.x [872] fnbamd_ldap_send-Request is sent. ID 4 [814] __ldap_rxtx-state 8(Attr query resp) [1064] fnbamd_ldap_recv-Response len: 94, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-entry [799] fnbamd_ldap_parse_response-ret=0 [503] __get_member_of_groups-Get the memberOf groups. [521] __get_member_of_groups-attr='msNPAllowDialin' - found 0 values [1064] fnbamd_ldap_recv-Response len: 16, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result [799] fnbamd_ldap_parse_response-ret=0 [1185] __fnbamd_ldap_attr_next-Auth accepted [881] __ldap_rxtx-Change state to 'Done' [814] __ldap_rxtx-state 21(Done) [860] fnbamd_ldap_send-sending 7 bytes to 192.168.x.x [872] fnbamd_ldap_send-Request is sent. ID 5 [724] __ldap_stop-svr 'some-DC-server1' [52] ldap_dn_list_del_all-Del CN=admin test,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something [2872] fnbamd_ldap_result-Result for ldap svr 192.168.x.x is SUCCESS [2879] fnbamd_ldap_result-Failed group matching !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [814] __ldap_rxtx-state 6(User Bind resp) [1064] fnbamd_ldap_recv-Response len: 16, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind [799] fnbamd_ldap_parse_response-ret=0 [881] __ldap_rxtx-Change state to 'Attr query' [814] __ldap_rxtx-state 7(Attr query) [490] fnbamd_ldap_build_attr_search_req-Adding attr 'msNPAllowDialin' [502] fnbamd_ldap_build_attr_search_req-base:'CN=admin test,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something' filter:cn=* [860] fnbamd_ldap_send-sending 134 bytes to 192.168.x.x [872] fnbamd_ldap_send-Request is sent. ID 4 [2497] fnbamd_auth_handle_radius_result-Timer of rad 'some-NPS-server' is deleted [1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3 [382] extract_chap_error-CHAP err: E=649 R=0 V=3 [2523] fnbamd_auth_handle_radius_result-->Result for radius svr 'some-NPS-server' 192.168.x.x(1) is 1 [1338] fnbamd_radius_auth_send-Compose RADIUS request [1280] __fnbamd_rad_send-Sent radius req to server 'some-NPS-server': fd=14, IP=192.168.x.x(192.168.x.x:1812) code=1 id=77 len=100 user="admin_test" using CHAP [281] radius_server_auth-Timer of rad 'some-NPS-server' is added [2811] handle_auth_rsp-Continue pending for req 1642169972 [814] __ldap_rxtx-state 8(Attr query resp) [1064] fnbamd_ldap_recv-Response len: 94, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-entry [799] fnbamd_ldap_parse_response-ret=0 [503] __get_member_of_groups-Get the memberOf groups. [521] __get_member_of_groups-attr='msNPAllowDialin' - found 0 values [1064] fnbamd_ldap_recv-Response len: 16, svr: 192.168.x.x [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result [799] fnbamd_ldap_parse_response-ret=0 [1185] __fnbamd_ldap_attr_next-Auth accepted [881] __ldap_rxtx-Change state to 'Done' [814] __ldap_rxtx-state 21(Done) [860] fnbamd_ldap_send-sending 7 bytes to 192.168.x.x [872] fnbamd_ldap_send-Request is sent. ID 5 [724] __ldap_stop-svr 'some-DC-server2' [52] ldap_dn_list_del_all-Del CN=admin test,OU=something,OU=something,OU=something,DC=something,DC=something,DC=something [2872] fnbamd_ldap_result-Result for ldap svr 192.168.x.x is SUCCESS [2879] fnbamd_ldap_result-Failed group matching [2497] fnbamd_auth_handle_radius_result-Timer of rad 'some-NPS-server' is deleted [1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3 [2523] fnbamd_auth_handle_radius_result-->Result for radius svr 'some-NPS-server' 192.168.x.x(1) is 1 [179] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 1642169972 [669] destroy_auth_session-delete session 1642169972