Hot!Two-Factor SSL VPN - Invalid HTTP Request

Author
tripley
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/19 13:52:51
  • Status: offline
2019/12/10 20:38:25 (permalink)
0

Two-Factor SSL VPN - Invalid HTTP Request

This isn't a production environment.  Just playing around at home, but I can't seem to get it to work.
 
I have a 30E with the two built in mobile Fortitokens.  I assigned a mobile token to a local user.  Loaded the App onto my Android phone and linked it via the QR code.  Configured a basic SSL VPN portal.

When I login it asks me for a user/pass, then I enter the token from my app.  It gives me an error "Invalid HTTP request".
 
If I disable two-factor for that local user I can login to the portal no problem and access resources.
 
I can't seem to find any logs indicating any issue.
 
What should I check?  FortiOS 6.2.2 on a FortiGate 30E.
#1

4 Replies Related Threads

    HarK0nNeN
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/19 07:55:43
    • Status: offline
    Re: Two-Factor SSL VPN - Invalid HTTP Request 2019/12/19 08:05:45 (permalink)
    0
     
    Hi,
     
    I am also experiencing the same issue as above. I have been wrecking my brain over this for the past few days. It just doesn't make sense, even though following the forti guides.
     
    eg https://docs.fortinet.com...le-push-authentication minus the FTM part, i just leave that part, but everything else is pretty much same/similar. For reference, i did implement the FTM part and it still fails anyways.

    I used this to debug my logs https://kb.fortinet.com/k....do?externalID=FD38804
     
    I am not running any LDAP or Radius or FortiAuthenticator, just a fortigate, local user and a mobile fortitoken.
     
    User has already been assigned a fortitoken, i have deleted the user and recreated the user and deleted the trial tokens and imported it again, redid all my SSL VPN portal settings and firewall policies.
     
    It works with a normal local user with NO 2FA/OTP, but as soon as I use the 2FA user it just pops up the HTTP INVALID Request. Absolutely driving me mad.
     
    Logs below of the sslvpn/auth/fnbamd
     
     
    2019-12-19 23:50:01 [610:root:31d]SSL state:before SSL initialization (1.1.1.1)
    2019-12-19 23:50:01 [610:root:31d]SSL state:before SSL initialization (1.1.1.1)
    2019-12-19 23:50:01 [610:root:31d]client cert requirement: no
    2019-12-19 23:50:01 [610:root:31d]SSL state:SSLv3/TLS read client hello (1.1.1.1)
    2019-12-19 23:50:01 [610:root:31d]SSL state:SSLv3/TLS write server hello (1.1.1.1)
    2019-12-19 23:50:01 [610:root:31d]SSL state:SSLv3/TLS write change cipher spec (1.1.1.1)
    2019-12-19 23:50:01 [610:root:31d]SSL state:SSLv3/TLS write finished (1.1.1.1)
    2019-12-19 23:50:01 [610:root:31d]SSL state:SSLv3/TLS write finished:system lib(1.1.1.1)
    2019-12-19 23:50:01 [610:root:31d]SSL state:SSLv3/TLS write finished (1.1.1.1)
    2019-12-19 23:50:01 [610:root:31d]SSL state:SSLv3/TLS read change cipher spec (1.1.1.1)
    2019-12-19 23:50:01 [610:root:31d]SSL state:SSLv3/TLS read finished (1.1.1.1)
    2019-12-19 23:50:01 [610:root:31d]SSL state:SSL negotiation finished successfully (1.1.1.1)
    2019-12-19 23:50:01 [610:root:31d]SSL established: TLSv1.2 ECDHE-RSA-AES256-SHA
    2019-12-19 23:50:01 [610:root:31d]req: /remote/logincheck
    2019-12-19 23:50:01 [610:root:31d]rmt_web_auth_info_parser_common:470 no session id in auth info
    2019-12-19 23:50:01 [610:root:31d]rmt_web_access_check:720 access failed, uri=[/remote/logincheck],ret=4103,
    2019-12-19 23:50:01 [610:root:31d]User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
    2019-12-19 23:50:01 [610:root:31d]rmt_logincheck_cb_handler:1188 user 'user' has a matched local entry.
    2019-12-19 23:50:01 [610:root:31d]sslvpn_auth_check_usrgroup:2035 forming user/group list from policy.
    2019-12-19 23:50:01 [610:root:31d]sslvpn_auth_check_usrgroup:2141 got user (0) group (1:0).
    2019-12-19 23:50:01 [610:root:31d]sslvpn_validate_user_group_list:1638 validating with SSL VPN authentication rules (0), realm ().
    2019-12-19 23:50:01 [610:root:31d]sslvpn_validate_user_group_list:1959 got user (0:0), group (1:0) peer group (0).
    2019-12-19 23:50:01 [610:root:31d]two factor check for user: off
    2019-12-19 23:50:01 [610:root:31d]sslvpn_authenticate_user:191 authenticate user: [user]
    2019-12-19 23:50:01 [610:root:31d]sslvpn_authenticate_user:198 create fam state
    2019-12-19 23:50:01 [610:root:31d]fam_auth_send_req:583 with server blacklist:
    2019-12-19 23:50:01 2019-12-19 23:50:01 [2343] handle_req-Rcvd auth_token req 1643548706 for user in SSLVPN_PORTAL_USERS
    2019-12-19 23:50:01 [409] __compose_group_list_from_req-Group 'SSLVPN_PORTAL_USERS'
    2019-12-19 23:50:01 [610:root:31d]2019-12-19 23:50:01 [712] create_auth_token_session-Created auth token session 1643548706
    fam_auth_send_req_internal:461 fnbam_auth return: 7
    2019-12-19 23:50:11 [610:root:31d]SSL state:warning close notify (1.1.1.1)
    2019-12-19 23:50:11 [610:root:31d]sslConnGotoNextState:303 error (last state: 1, closeOp: 0)
    2019-12-19 23:50:11 [610:root:31d]Destroy sconn 0x74f0c080, connSize=0. (root)
    2019-12-19 23:50:15 authd_epoll_work: timeout 9910
    2019-12-19 23:50:15 authd_epoll_work: timeout 9900
    2019-12-19 23:50:25 authd_timer_run: 3 expired
    2019-12-19 23:50:25 authd_epoll_work: timeout 60000
    2019-12-19 23:50:25 authd_timer_run: 3 expired
    2019-12-19 23:50:25 authd_epoll_work: timeout 60000
    2019-12-19 23:50:25 authd_timer_run: 3 expired
    2019-12-19 23:50:25 authd_epoll_work: timeout 60000
    2019-12-19 23:50:28 [610:root:31e]allocSSLConn:289 sconn 0x74f0c080 (0:root)
    2019-12-19 23:50:28 [610:root:31e]SSL state:before SSL initialization (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31e]SSL state:before SSL initialization (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31e]client cert requirement: no
    2019-12-19 23:50:28 [610:root:31e]SSL state:SSLv3/TLS read client hello (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31e]SSL state:SSLv3/TLS write server hello (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31e]SSL state:SSLv3/TLS write change cipher spec (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31e]SSL state:SSLv3/TLS write finished (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31e]SSL state:SSLv3/TLS write finished:system lib(1.1.1.1)
    2019-12-19 23:50:28 [610:root:31e]SSL state:SSLv3/TLS write finished (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31e]SSL state:SSLv3/TLS read change cipher spec (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31e]SSL state:SSLv3/TLS read finished (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31e]SSL state:SSL negotiation finished successfully (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31e]SSL established: TLSv1.2 ECDHE-RSA-AES256-SHA
    2019-12-19 23:50:28 [610:root:31e]req: /remote/logincheck
    2019-12-19 23:50:28 [610:root:31e]rmt_web_auth_info_parser_common:470 no session id in auth info
    2019-12-19 23:50:28 [610:root:31e]rmt_web_access_check:720 access failed, uri=[/remote/logincheck],ret=4103,
    2019-12-19 23:50:28 [610:root:31e]User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
    2019-12-19 23:50:28 [610:root:31e]rmt_logincheck_cb_handler:1188 user 'user' has a matched local entry.
    2019-12-19 23:50:28 [610:root:31e]got checking id %lx-0
    2019-12-19 23:50:28 [610:root:31e]1389 magic checked failed.
    2019-12-19 23:50:28 [610:root:31e]req: /remote/error?msg=400
    2019-12-19 23:50:28 [610:root:0]sslvpn_find_err_msg_array:339 Can't find the value for key: 400
    2019-12-19 23:50:28 [610:root:31e]rmt_error_cb_handler:126 Can't get corresponding message for key 400. Use the default error message.
    2019-12-19 23:50:28 [610:root:31e]req: /sslvpn/css/ssl_style.css
    2019-12-19 23:50:28 [610:root:31e]mza: 0x14a7de8 /sslvpn/css/ssl_style.css
    2019-12-19 23:50:28 [610:root:31f]allocSSLConn:289 sconn 0x74f0c780 (0:root)
    2019-12-19 23:50:28 [610:root:31f]SSL state:before SSL initialization (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31f]SSL state:before SSL initialization (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31f]client cert requirement: no
    2019-12-19 23:50:28 [610:root:31f]SSL state:SSLv3/TLS read client hello (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31f]SSL state:SSLv3/TLS write server hello (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31f]SSL state:SSLv3/TLS write change cipher spec (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31f]SSL state:SSLv3/TLS write finished (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31f]SSL state:SSLv3/TLS write finished:system lib(1.1.1.1)
    2019-12-19 23:50:28 [610:root:31f]SSL state:SSLv3/TLS write finished (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31f]SSL state:SSLv3/TLS read change cipher spec (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31f]SSL state:SSLv3/TLS read finished (1.1.1.1)
    2019-12-19 23:50:28 [610:root:31f]SSL state:SSL negotiation finished successfully (1.1.1.1)

     
    For what ever reason, my session info or auth info is not passing through? Which I assume is my token and that is why my magic auth is failing. Frustrating!
     
    Is this a bug? pls help :(
     
    #2
    HarK0nNeN
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/19 07:55:43
    • Status: offline
    Re: Two-Factor SSL VPN - Invalid HTTP Request 2019/12/19 18:14:58 (permalink)
    0
    Just to reply to my post,
     
    Apparently is a possibility of a bug in 6.2.2 with the fortitoken on Soc3 Platforms with SSLVPN
    https://docs.fortinet.com/document/fortigate/6.2.2/fortios-release-notes/501077/mobile-token-authentication
     
    Also it was just announced today that 6.2.3 has been released and supposedly fixed this issue. 
    I will download the new firmware and upgrade to see if this fixes it.
    #3
    cossairt
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/20 14:32:04
    • Status: offline
    Re: Two-Factor SSL VPN - Invalid HTTP Request 2019/12/20 14:51:08 (permalink)
    0
    Thanks for the post.  Was experiencing the same issue and did upgraded to 6.2.3 on a FWF 60E and it resolved the issue.
    #4
    tripley
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/19 13:52:51
    • Status: offline
    Re: Two-Factor SSL VPN - Invalid HTTP Request 2019/12/31 12:28:01 (permalink)
    0
    Update - I have upgraded to 6.2.3, however 2FA still does not work.
     
    I get Error:Permission denied instead.  Logs indicate "sslvpn_login_unknown_user".  However, when I turn off 2FA for that user I can login fine.
     
    So some progress has been made with 6.2.3, but I'm still running into issues.
    #5
    Jump to:
    © 2020 APG vNext Commercial Version 5.5