Skip to Content

Solved: How do I fix SSL VPN with LDAP user authentication credential check passes in FortiGate but fails while logging in?

By: Author Alex Lim

Posted on  - Last updated:

Categories Troubleshooting

This article descricbes that credentials from FortiGate succeed but the same credential fails in actual SSL VPN log-in.

The credentials for a test user with username ‘testvpn’ and password ‘azbyc’ (already configured at the LDAP’s AD) shows authentication succeeded when done from the FortiGate as follows:

FW-1 # dia test authserver ldap MyLdap testvpn azbyc
authenticate 'testvpn' against 'MyLdap' succeeded! <---
Group membership(s) - CN=SSLVPNUsers,OU=SSL-VPN,DC=abc,DC=com

When using FortiClient, the error message that pops up is:

‘Unable to logon to the server. Your username or password may not be configured properly for this connection’.

When using FortiClient, the error message that pops up is: 'Unable to logon to the server. Your username or password may not be configured properly for this connection'.

When using web mode, then the error is ‘Error: Authentication Failure’.

The following debugs can be run to check the SSL-VPN login failure as well:

# diagnose debug application sslvpn -1
# diagnose debug application fnbamd -1
# diagnose debug enable

It is possible to observe the following in the output of the debug:

[314:root:13]sslvpn_authenticate_user:191 authenticate user: [testvpn]
[314:root:13]sslvpn_authenticate_user:205 create fam state
[314:root:13][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[314:root:13][fam_auth_send_req_internal:438] FNBAM opt = 0X300421
invalid auth params for user 'testvpn' <-----
[314:root:13]fam_auth_send_req_internal:514 fnbam_auth return: 5
[314:root:13]fam_auth_send_req:1007 task finished with 5
[314:root:13]login_failed:393 user[testvpn],auth_type=1 failed [sslvpn_login_unknown_user] <-----

It is seen from the debugs that no authentication is however done with respect to the group configured in FortiGate for the LDAP users, i.e., SSLVPNUsers.

In this case, the test user ‘testvp’ is present in the user group ‘SSLVPNUsers’ that contains the LDAP server (remote group) added as well.

In this case, the test user 'testvp' is present in the user group 'SSLVPNUsers' that contains the LDAP server (remote group) added as well.

Scope

FortiGate.

Solution

To resolve this, ensure that the configured group is present in the ‘Authentication/Portal Mapping’ section of the SSL VPN settings:

To resolve this, ensure that the configured group is present in the 'Authentication/Portal Mapping' section of the SSL VPN settings.

Next, ensure that this user group is added to the corresponding firewall policy as well.

Next, ensure that this user group is added to the corresponding firewall policy as well.

Finally, confirm that while trying to log in to the VPN, the username is typed in properly since it is ‘case-sensitive’.

After this, the user can successfully authenticate with the same credentials via FortiClient as well as web-mode.

Hence, to authenticate over SSL VPN successfully you would need:

  • Same user/group added to the SSL VPN portal mapping so that after authentication, SSL VPN can map the user to the correct SSL VPN portal.
  • A valid firewall policy with the user/group with source interface ‘ssl.root’.
  • To use exact lower-case and upper-case alphabets in the username since it is case-sensitive.