Creating security policies
RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple policies if user groups can have different UTM features enabled, different permitted services, schedules, and so on.
To create a security policy for RSSO – web-based manager:
1. Go to Policy & Objects > Policy > IPv4.
2. Select Create New.
3. Enter the following information.
| Incoming Interface | as needed | |
| Source Address | as needed | |
| Source User(s) | Select the user groups you created for RSSO. See Defining local user groups for RADIUS SSO on page 598. | |
| Outgoing Interface | as needed | |
| Destination Address | all | |
| Schedule | as needed | |
| Service | as needed | |
| Action | ACCEPT | |
| Enable NAT | Selected | |
| Security Profiles | Select security profiles appropriate for the user group. | |
|
4. |
Select OK. |
To ensure an RSSO-related policy is matched first, the policy should be placed higher in the security policy list than more general policies for the same interfaces.
5. Select OK.
To create a security policy for RSSO – CLI:
In this example, an internal network to Internet policy enables web access for members of a student group and activates the appropriate UTM profiles.
config firewall policy edit 0
set srcintf internal set dstintf wan1
set srcaddr all set dstaddr “all” set action accept set rsso enable
set groups “RSSO-student” set schedule always
set service HTTP HTTPS
set nat enable
set utm-status enable set av-profile students
set webfilter-profile students set spamfilter-profile students set dlp-sensor default
set ips-sensor default
set application-list students
set profile-protocol-options “default” end
Example: webfiltering for student and teacher accounts
The following example uses RADIUS SSO to apply web filtering to students, but not to teachers. Assume that the RADIUS server is already configured to send RADIUS Start and Stop records to the FortiGate unit. There are two RADIUS user groups, students and teachers, recorded in the default attribute Class. The workstations are connected to port1, port2 connects to the RADIUS server, and port3 connects to the Internet.
Configure the student web filter profile:
1. Go to Security Profiles > Web Filter and select Create New (the “+” button).
2. Enter the following and select OK.
Name student
Inspection Mode Proxy
FortiGuard Categories Enable. Right-click the Potentially Liable category and select Block.
Repeat for Adult/Mature Content and Security Risk.
Create the RADIUS SSO agent:
1. Go to User & Device > Authentication > Single Sign-On and select Create New.
2. In Type, select RADIUS Single-Sign-On.
3. Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.
4. Select Send RADIUS Responses.
5. Select OK.
Define local user groups associated with the RADIUS SSO user groups:
1. Go to User & Device > User > User Groups and select Create New.
2. Enter the following and select OK.
Name RSSO-students
Type RADIUS Single Sign-On (RSSO)
RADIUS Attribute Value students
3. Select Create New, enter the following and select OK.
Name RSSO-teachers
Type RADIUS Single Sign-On (RSSO)
RADIUS Attribute Value teachers
Create a security policy for students:
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Enter
| Incoming Interface | port1 | |
| Source Address | all | |
| Source User(s) | RSSO-students | |
| Source Device Type | All | |
| Outgoing Interface | port3 | |
| Destination Address | all | |
| Schedule | always | |
| Service | HTTP, HTTPS | |
| Action | ACCEPT | |
| NAT | ON | |
| Security Profiles | Enable AntiVirus, Web Filter, IPS.
In Web Filter, select the student profile. |
|
|
3. |
Select OK. |
Create a security policy for teachers:
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Enter
Incoming Interface port2
Source Address all
Source User(s) RSSO-teachers
Source Device Type All
Outgoing Interface port3
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT ON
Security Profiles Enable AntiVirus and IPS.
3. Select OK.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
I seem to be having so much trouble getting this working. My wireless array (Xirrus) is configured to send accounting messages to my NAP server which is configured to forward accounting messages to the Fortigate. I’ve enabled packet sniffing on port 1813 and can see Accounting-Request packets being sent from the NAP server to Fortigate (although without the additional Class AVP I set) yet no users are listed under Firewall User Monitor. Really not sure how to proceed with this!
The below option is not available onf fortiOS 5.6.* How do I enable “Listen for Radius Accounting messages” on fortiOS 5.6.* Thanks!
To enable RADIUS access on the interface – web-based manager:
1. Go to System > Network > Interfaces and edit the interface to which the RADIUS server connected.
2. Select Listen for RADIUS Accounting Messages.
3. Select OK.