RADIUS SSO example

To create a RADIUS SSO agent:

1. Go to User & Device > Authentication > Single Sign-On and select Create New.

2. In Type, select RADIUS Single-Sign-On Agent.

3. Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.

4. Select Send RADIUS Responses.

5. Select OK.

The Single Sign-On agent is named RSSO_Agent.


Creating a RADIUS SSO user group


To define a local user group for RADIUS SSO:

1. Go to User & Device > User > User Groups and select Create New.

2. Enter a Name for the user group.

3. In Type, select RADIUS Single Sign-On (RSSO).

4. In RADIUS Attribute Value, enter the name of the RADIUS user group this local user group represents.

5. Select OK.


Configuring FortiGate regular and RADIUS SSO security policies

With the RADIUS server and FortiGate interfaces configured, security policies can be configured. This includes both RADIUS SSO and regular policies, as well as addresses and address groups. All policies require NAT to be enabled.


Security policies required for RADIUS SSO

Seq. No. From -> To      Type                Schedule                 Description

1               internal -> wan1

2               internal -> wan1

RADIUS SSO    business hours           Authenticate outgoing user traffic.

regular               always                        Allow essential network services and VoIP.

Seq. No. From -> To      Type                Schedule                 Description

3               dmz -> wan1     regular               always                        Allow servers to access Internet.

4               internal -> dmz regular               always                        Allow users to access servers.

5              any -> any         deny                  always                        Implicit policy denying all traffic that hasn’t been matched.


The RADIUS SSO policy must be placed at the top of the policy list so it is matched first. The only exception to this is if you have a policy to deny access to a list of banned users. In this case, that policy must go at the top so the RADIUS SSO does not mis- takenly match a banned user or IP address.


This section includes:

  • Schedules, address groups, and services groups
  • Configuring regular security policies
  • Configuring RADIUS SSO security policy


Schedules, address groups, and services groups

This section lists the lists that need to be configured before security policies are created. Creating these lists is straight forward, so the essential information has been provided here but not step by step instructions. For more information on firewall related details, see



Only one schedule needs to be configured — business_hours. This is a fairly standard Monday to Friday 8am to 5pm schedule, or whatever days and hours covers standard work hours at the company.


Address groups

The following address groups need to be configured before the security policies.


Address Group Name Interface Address range included



internal to




dmz to


Service groups


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU