_fnbamd_dns_req_del-DNS maintainer stopped. _fnbamd_dns_req_del-DNS req 0x4e (0x58bc3c0) is removed. fnbamd_dns_parse_resp-req 0x4e: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0 fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x204e _fnbamd_ldap_start_conn-Still connecting 10.1.1.105. _fnbamd_ldap_dns_cb-Connection starts Duo:cerberus, addr 10.1.1.105 over SSL _fnbamd_ldap_dns_cb-Resolved Duo:cerberus to 10.1.1.105, cur stack size:1 fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x4e create_auth_session-Total 1 server(s) to try fnbamd_dns_resolv_ex-DNS maintainer started. fnbamd_dns_resolv_ex-DNS req ipv6 0x204e 'cerberus' fnbamd_dns_resolv_ex-DNS req ipv4 0x4e 'cerberus' fnbamd_ldap_init-search base is: dc=domain,dc=local fnbamd_ldap_init-search filter is: sAMAccountName=testuser fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1 _fnbamd_cfg_get_ldap_list_by_server-Loaded LDAP server 'Duo' _compose_group_list_from_req-Group 'Duo', type 1 handle_req-Rcvd auth req 1188721821 for testuser in Duo opt=0000001b prot=0 fw01 # diagnose test authserver ldap Duo testuser NewPassword1234# Please check the password, client certificate, etc." on the FortiClient. That looks like it's getting the correct response, the "data 773" code means the password needs to be changed according to That seems to agree with the "Prompt user to renew expired password." But, the users is never prompted, the FGT only responds with "Error: permission denied" on the web interface and "Login failed. fnband_ldap_run_password_policy_sm-Prompt user to renew expired password. When I set the test user to require a password change and do the above with debug enabled (full output below) I see this: fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurit圜ontext error, data 773, v2580) Group membership(s) - CN=AzureADSync,OU=Security Groups,DC=domains,DC=localĬN=VPN_Users,OU=Security Groups,DC=domains,DC=localĬN=Domain Users,CN=Users,DC=domains,DC=local With the users password not set to require a change everything is great: fw01 # diagnose test authserver ldap Duo testuser PasswordĪuthenticate 'testuser' against 'Duo' succeeded! Ldap_filter=(|(memberOf=CN=VPN_Users,OU=Security Groups,DC=domain,DC=local)) Security_group_dn=CN=VPN_Users,OU=Security Groups,DC=domain,DC=local On the Duo side I have ldaps configured for the server and client here's the config: MFA using Duo is working just fine but I can't seem to get this working, has anyone gotten this to work? I'm trying to get the FGT SSL VPN to prompt users to change their passwords if they are expired or have the forced change flag set. Sharing dumps violates a reddit global rule and may result in a site-wide ban. Posting brain or answer dumps for Fortinet certifications is prohibited as they are copyrighted material.
0 Comments
Leave a Reply. |