Hot!SSLVPN User not able to authenticate

Author
kenm30018
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/16 15:19:52
  • Status: offline
2020/07/28 14:10:39 (permalink)
0

SSLVPN User not able to authenticate

I'm trying to set up a user to be able to login to an SSLVPN portal with the FortiAuthenticator, and I believe I've got things set up correctly, but the Authenticator logs show:
 
Remote LDAP user authentication with email token failed: user not filtered by groups
And I'm not sure if that means on the FortiAuthenticator or on the FortiGate unit. The user is a remote user and is in a group on the FortiAuthenticator. I also have a group on the FortiGate, so I'm not sure where I'm going wrong.
 
Thanks,
Kenn
#1

1 Reply Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 547
    • Scores: 143
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: SSLVPN User not able to authenticate 2020/09/21 07:41:14 (permalink)
    0
    If log message is from FortiAuthenticator (FAC) as it seems to me, then it speaks about FAC.
    If you do have users from LDAP, then how you gave them to FortiGate (FGT)? Via RADIUS ?
    If RADIUS is between FGT and FAC (usual setup), then FAC has LDAP as backend.
    And if LDAP is backend then how it's connected to RADIUS Clients setup on FAC ?
     
    If it's pure 'realm' used in FAC > Authentication > RADIUS Service > and clients config , simply pointing to LDAP, then how you have tokens bonded ?
    As you spoke about tokens then I guess you synced/imported users from LDAP to FAC, equipped them with tokens, or set to use email token. So you should have those users grouped on FAC user group. Then RADIUS Client with LDAP realm have to have the group filter enabled and this group used.
    This way will FAC read data about synced users from FAC, based on group membership and state of user on FAC (and users are usually synced via Remote User Sync Rules as Remote Users).
    This way will FAC check known users, and not just proxy auth requests from RADIUS to LDAP.

    More details on where, in which phase auth fail would make a situation a bit more clear.



    Tom xSilver, planet Earth, over and out!
    #2
    Jump to:
    © 2020 APG vNext Commercial Version 5.5