IPsec/SSL VPN

SSL VPN realms with Active Directory (LDAPS) authentication: fails when user is a member of multiple AD groups

  • 1.  SSL VPN realms with Active Directory (LDAPS) authentication: fails when user is a member of multiple AD groups

    Posted 11 days ago

    Hi

    I have an FG500E cluster configured for SSL VPN with multiple realms (users, itstaff, other).
    I'm remote authenticating to MS Active Directory.
    user realm points to AD group "users"
    itstaff realm points to AD group "itstaff"
    other realm points to AD group "other"

    There is a search order performed by the Fortinet against the MS AD LDAP(S) server.
    If the end-user is a member of only one AD group, and they specific the appropriate realm, all is fine.
    if the end-user is a member of multiple AD groups (ie a member of both "users" and "itstaff")....
    - if they specify the "users" realm, the auth fails (as the first AD hit/match is on the "itstaff" permission group).
    - if they specify the "itstaff" realm, the auth succeeds (as the first AD hit/match is on the "itstaff" permission group).

    This was not the case from 5.6.x thru (at least) 6.2.7.
    (i.e. the above scenario worked fine.)

    When we recently updated from 6.2.7 to 6.4.6, the issue manifested itself.
    So, somewhere between 6.2.7 and 6.4.6 this 'bug' appeared.

    I placed a ticket with fortinet support:

    - first level: reproduce the issue (then it was bumped up to the second level).
    - second level: reproduced the issue (no bug reports identified).

    Q: Has anyone come across this before?
    Q: Has anyone identified a workaround/fix?

    Thank you in advance.

    --tony