Hot!Bug in 6.0.6 SSLVPN/LDAP user auth?

Author
kallbrandt
Silver Member
  • Total Posts : 95
  • Scores: 18
  • Reward points: 0
  • Joined: 2016/05/21 11:21:05
  • Status: offline
2019/08/13 14:47:14 (permalink)
0

Bug in 6.0.6 SSLVPN/LDAP user auth?

Just my findings about this. Someone else might be drowning in the same marsh..
 
I had serious problems with a client's 600D not honoring the configured LDAP groups for VPN authentication. It turned out that the Fortigate authenticated all users against radius... No radius users are configured. But during the auth sequence, the firewall check for radius config, then tacacs config, then ldap. If it finds a radius server, it proceeds to authenticate the users on that! I am still waiting for the TAC to tell me if this really is the expected behaviour, but I suspect not. It would be impossible to use more then one type of authentication server then. Well, as it is now at least. The solution for me was to remove the radius config - Hey presto! LDAP works, groups are honored!
 
Or wait, there was a 2nd snafu: LDAPS was configured, all checks were green in gui. But LDAP auth fails with "unsupported protocol" when you do your diag debug on auth...

Richie
NSE7
#1

9 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1623
    • Scores: 137
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Bug in 6.0.6 SSLVPN/LDAP user auth? 2019/08/13 15:03:50 (permalink)
    0
    My understanding was it's supposed to send an auth request to all remote auth servers configured in the group(s). I don't know the exact decision making process if multiple servers replied with conflicting answers: "pass" and "deny", though. Was that working fine with 6.0.5? Or which version did you upgraded the 600D from, then found this problem?
    #2
    kgipe
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/11/02 14:09:07
    • Status: offline
    Re: Bug in 6.0.6 SSLVPN/LDAP user auth? 2019/08/13 20:47:54 (permalink)
    0
    We actually just ran into this same issue and have a ticket in on it.  In our case, we added in a new Radius server and user group but had not even applied it anywhere and it started trying to authenticate SSL VPN users against it.  I don't know if it was the same on 6.0.5 as I added the Radius server in after upgrade.
    #3
    kallbrandt
    Silver Member
    • Total Posts : 95
    • Scores: 18
    • Reward points: 0
    • Joined: 2016/05/21 11:21:05
    • Status: offline
    Re: Bug in 6.0.6 SSLVPN/LDAP user auth? 2019/08/13 23:54:58 (permalink)
    0
    toshiesumi
    My understanding was it's supposed to send an auth request to all remote auth servers configured in the group(s). I don't know the exact decision making process if multiple servers replied with conflicting answers: "pass" and "deny", though. Was that working fine with 6.0.5? Or which version did you upgraded the 600D from, then found this problem?


    The thing is - the radius servers was NOT configured in any groups or users - They were just present in the config and reachable.

    Richie
    NSE7
    #4
    kallbrandt
    Silver Member
    • Total Posts : 95
    • Scores: 18
    • Reward points: 0
    • Joined: 2016/05/21 11:21:05
    • Status: offline
    Re: Bug in 6.0.6 SSLVPN/LDAP user auth? 2019/08/13 23:58:23 (permalink)
    0
    kgipe
    We actually just ran into this same issue and have a ticket in on it.  In our case, we added in a new Radius server and user group but had not even applied it anywhere and it started trying to authenticate SSL VPN users against it.  I don't know if it was the same on 6.0.5 as I added the Radius server in after upgrade.


    Aha! That kinda screams bug to me... We upgraded the firewall all the way from 5.2.14 -->6.0.6 via the supported upgrade path. I don't know about the firmware versions inbetween, but this was not a problem in 5.2.13.
    Anyway, for our setup, it is solvable, but if you depend on your radius for other things, you're kinda toast right now. Let's hope for a fix soonish.

    Richie
    NSE7
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 1623
    • Scores: 137
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Bug in 6.0.6 SSLVPN/LDAP user auth? 2019/08/14 08:54:47 (permalink)
    0
    Probably that's the key - NOT configured in any groups - in other words, not used. In our office we use FGT60E w/ 6.0.5 and it has two different sets of RADIUS servers for WiFi and admin user authentication. But so far it's acting as expected after upgraded from 5.6.6.
    #6
    kallbrandt
    Silver Member
    • Total Posts : 95
    • Scores: 18
    • Reward points: 0
    • Joined: 2016/05/21 11:21:05
    • Status: offline
    Re: Bug in 6.0.6 SSLVPN/LDAP user auth? 2019/08/14 12:22:03 (permalink)
    0
    I actually tried to configure a few radius groups, didn't make any difference.
     
    So, you'll have to upgrade to 6.0.6 to find out. :-)

    Richie
    NSE7
    #7
    Toshi Esumi
    Expert Member
    • Total Posts : 1623
    • Scores: 137
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Bug in 6.0.6 SSLVPN/LDAP user auth? 2019/08/14 13:08:26 (permalink)
    0
    Either of you, please let the rest of us know when you get a bug ID. By that time you would know more about the conditions.
    I was planning to upgrade our 60E cluster to 6.0.6 in a couple of weeks. I'll test auth for two different user groups w/ different RADIUS servers. Then if it doesn't work as expected, I'll revert it (swap the partitions) to go back to 6.0.5.
    #8
    Alivo_ FTNT
    Silver Member
    • Total Posts : 71
    • Scores: 22
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: Bug in 6.0.6 SSLVPN/LDAP user auth? 2019/08/19 04:46:20 (permalink)
    0
    Hello kallbrandt,
    Do you have in you RADIUS configuration :
    "set all-usergroup enable" ?


    #9
    kallbrandt
    Silver Member
    • Total Posts : 95
    • Scores: 18
    • Reward points: 0
    • Joined: 2016/05/21 11:21:05
    • Status: offline
    Re: Bug in 6.0.6 SSLVPN/LDAP user auth? 2019/08/19 08:18:41 (permalink)
    0
    Nope, but I think I just found the reason. It seems that radius authentication was triggered by several separate events. We had an old radius policy that sent back a vendor specific option that applied a non-existing user-group (something was obviously setup for testing in back in 2015 or so, with a usergroup that must have existed back then). The radius policy was pretty much wide open, an active account was enough. The Fortigate was triggered to continue to auth all users with Radius after that. I guess because the vendor specific option was returned to the fw, it decided to go with radius auth. I have no other explanation. When I removed the vendor specific option, radius was not triggered. Note once again that NO radius users NOR groups is configured. Everything is using LDAP. IMHO, radius auth should not be triggered if no users/groups are configured, but I guess this "exploit" is not that practical to make use of, since it requires admin access to the fw in order to set the radius up.

    Richie
    NSE7
    #10
    Jump to:
    © 2019 APG vNext Commercial Version 5.5