After upgrading from FortiOS 5 to FortiOS 6, the access for SSLVPN users stopped working. Local users still worked but LDAP users could not authenticate user LDAPS or STARTTLS. When trying to login to the webportal the message “Permission denied” was displayed and in the firewall VPN events was following error: “sslvpn_login_unknown_user”.
Well, apparently Fortinet changed the minimum SSL protocol version used while authenticating to the AD to TLSv1.2. Unfortunately the AD server used could not use it and TLSv1 was the maximum available. The fix is quite simple:
Open the terminal in the webUI (top right >_ icon) and use following commands:
# config user ldap
# show
# edit "My LDAP server name got from show command"
# set ssl-min-proto-version TLSv1
# end
That’s it. SSLVPN was working normally afterwards. You could also use other protocol versions as SSLv2, SSLv3, TLSv1, TLSv1-1 and TLSv1-2