Skip to Content

Solved: How do I fix SSL VPN with LDAP user authentication credential check passes in FortiGate but fails while logging in?

This article descricbes that credentials from FortiGate succeed but the same credential fails in actual SSL VPN log-in.

The credentials for a test user with username ‘testvpn’ and password ‘azbyc’ (already configured at the LDAP’s AD) shows authentication succeeded when done from the FortiGate as follows:

FW-1 # dia test authserver ldap MyLdap testvpn azbyc
authenticate 'testvpn' against 'MyLdap' succeeded! <---
Group membership(s) - CN=SSLVPNUsers,OU=SSL-VPN,DC=abc,DC=com

When using FortiClient, the error message that pops up is:

‘Unable to logon to the server. Your username or password may not be configured properly for this connection’.

When using FortiClient, the error message that pops up is: 'Unable to logon to the server. Your username or password may not be configured properly for this connection'.

When using web mode, then the error is ‘Error: Authentication Failure’.

The following debugs can be run to check the SSL-VPN login failure as well:

# diagnose debug application sslvpn -1
# diagnose debug application fnbamd -1
# diagnose debug enable

It is possible to observe the following in the output of the debug:

[314:root:13]sslvpn_authenticate_user:191 authenticate user: [testvpn]
[314:root:13]sslvpn_authenticate_user:205 create fam state
[314:root:13][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[314:root:13][fam_auth_send_req_internal:438] FNBAM opt = 0X300421
invalid auth params for user 'testvpn' <-----
[314:root:13]fam_auth_send_req_internal:514 fnbam_auth return: 5
[314:root:13]fam_auth_send_req:1007 task finished with 5
[314:root:13]login_failed:393 user[testvpn],auth_type=1 failed [sslvpn_login_unknown_user] <-----

It is seen from the debugs that no authentication is however done with respect to the group configured in FortiGate for the LDAP users, i.e., SSLVPNUsers.

In this case, the test user ‘testvp’ is present in the user group ‘SSLVPNUsers’ that contains the LDAP server (remote group) added as well.

In this case, the test user 'testvp' is present in the user group 'SSLVPNUsers' that contains the LDAP server (remote group) added as well.

Scope

FortiGate.

Solution

To resolve this, ensure that the configured group is present in the ‘Authentication/Portal Mapping’ section of the SSL VPN settings:

To resolve this, ensure that the configured group is present in the 'Authentication/Portal Mapping' section of the SSL VPN settings.

Next, ensure that this user group is added to the corresponding firewall policy as well.

Next, ensure that this user group is added to the corresponding firewall policy as well.

Finally, confirm that while trying to log in to the VPN, the username is typed in properly since it is ‘case-sensitive’.

After this, the user can successfully authenticate with the same credentials via FortiClient as well as web-mode.

Hence, to authenticate over SSL VPN successfully you would need:

  • Same user/group added to the SSL VPN portal mapping so that after authentication, SSL VPN can map the user to the correct SSL VPN portal.
  • A valid firewall policy with the user/group with source interface ‘ssl.root’.
  • To use exact lower-case and upper-case alphabets in the username since it is case-sensitive.

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.