Topology

Example.com has an office with 20 users on the internal network. These users need access to the Internet to do their jobs. The office network is protected by a FortiGate-60C unit with access to the Internet through the wan1 interface, the user network on the internal interface, and all the servers are on the DMZ interface. This includes an Ubuntu Linux server running FreeRADIUS. For this example only two users will be configured — Pat Lee with an account name plee, or plee@example.com, and Kelly Green with an account name kgreen, or kgreen@example.com.

 

RADIUS SSO topology

 

Configuring RADIUS

Configuring RADIUS includes configuring the RADIUS server such as FreeRADIUS, a radius client on user’s computers, and configuring users in the system. For this example the two users will be Pat Lee, and Kelly Green. They belong to a group called exampledotcom_employees. When it is all configured, the RADIUS daemon needs to started.

The users have a RADIUS client installed on their PCs that allows them to authenticate through the RADIUS server.

FreeRADIUS can be found on the freeradius.org website. For any problems installing FreeRADIUS, see the FreeRADIUS documentation.

 

Configuring FortiGate interfaces

Before configuring the RADIUS SSO security policy, configure FortiGate interfaces. This includes defining a DHCP server for the internal network as this type of network typically uses DHCP. The wan1 and dmz interfaces are assigned static IP addresses and do not need a DHCP server.

 

FortiGate interfaces used in this example

 

Interface	Subnet	Act as DHCP Server	Devices
wan1	172.20.120.141	No	Internet Service Provider

dmz                  10.11.101.100                    No                                                Servers, including RADIUS server

internal            10.11.102.100                    Yes: x.x.x.110-.250                     Internal user network

To configure FortiGate interfaces – web-based manager:

1. Go to System > Network > Interfaces.

2. Select wan1 to edit.

3. Enter the following information and select OK.

Alias                                           Internet

Addressing Mode                     Manual

IP/Network Mask                       172.20.120.141/255.255.255.0

Administrative Access             HTTPS, SSH

Enable DHCP Server                 Not selected

Comments                                  Internet

Administrative Status               Up

4. Select dmz to edit.

5. Enter the following information and select OK.

Alias                                           Servers

Addressing Mode                     Manual

IP/Network Mask                       10.11.101.100/255.255.255.0

Administrative Access             HTTPS, SSH, PING, SNMP

Enable DHCP Server                 Not selected

Listen for RADIUS Account- ing Messages Select

Comments                                  Servers

Administrative Status               Up

6. Select internal to edit.

7. Enter the following information and select OK.

Alias                                           Internal network

Addressing Mode                     Manual

IP/Network Mask                       10.11.102.100/255.255.255.0

Administrative Access             HTTPS, SSH, PING

Enable DHCP Server                 Select

Address Range                         10.11.102.110 – 10.11.102.250

Netmask                                     255.255.255.0

Default Gateway                        Same as Interface IP

DNS Server                                 Same as System DNS

Comments                                  Internal network

Administrative Status               Up

Configuring a RADIUS SSO Agent on the FortiGate unit

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!