SSO using RADIUS accounting records

SSO using RADIUS accounting records

A FortiGate unit can authenticate users transparently who have already authenticated on an external RADIUS server. Based on the user group to which the user belongs, the security policy applies the appropriate UTM profiles. RADIUS SSO is relatively simple because the FortiGate unit does not interact with the RADIUS server, it only monitors RADIUS accounting records that the server emits. These records include the user’s IP address and user group.

After the initial set-up, changes to the user database, including changes to user group memberships, are made on the external RADIUS server, not on the FortiGate unit.

This section describes:

  • User’s view of RADIUS SSO authentication
  • Configuration Overview
  • Configuring the RADIUS server
  • Creating the FortiGate RADIUS SSO agent l  Defining local user groups for RADIUS SSO l  Creating security policies
  • Example: webfiltering for student and teacher accounts


Users view of RADIUS SSO authentication

For the user, RADIUS SSO authentication is simple:

  • The user connects to the RADIUS server and authenticates.
  • The user attempts to connect to a network resource that is reached through a FortiGate unit. Authentication is required for access, but the user connects to the destination without being asked for logon credentials because the FortiGate unit knows that the user is already authenticated. FortiOS applies UTM features appropriate to the user groups that the user belongs to.


Configuration Overview

The general steps to implement RADIUS Single Sign-On are:

1. If necessary, configure your RADIUS server. The user database needs to include user group information and the server needs to send accounting messages.

2. Create the FortiGate RADIUS SSO agent.

3. Define local user groups that map to RADIUS groups.

4. Create a security policy which specifies the user groups that are permitted access.



Configuring the RADIUS server

You can configure FortiGate RSSO to work with most RADIUS-based accounting systems. In most cases, you only need to do the following to your RADIUS accounting system:

  • Add a user group name field to customer accounts on the RADIUS server so that the name is added to the RADIUS Start record sent by the accounting system to the FortiOS unit. User group names do not need to be added for all users, only to the accounts of users who will use RSSO feature on the FortiGate unit.
  • Configure your accounting system to send RADIUS Start records to the FortiOS unit. You can send the RADIUS Start records to any FortiGate network interface. If your FortiGate unit is operating with virtual domains (VDOMs) enabled, the RADIUS Start records must be sent to a network interface in the management VDOM.


Creating the FortiGate RADIUS SSO agent

Once you define a RADIUS SSO (RSSO) agent, the FortiGate unit will accept user logon information from any RADIUS server that has the same shared secret. You can create only one RSSO agent in each VDOM.

Before you create the RSSO agent, you need to allow RADIUS accounting information on the interface that connects to the RADIUS server.


To enable RADIUS access on the interface – web-based manager:

1. Go to System > Network > Interfaces and edit the interface to which the RADIUS server connected.

2. Select Listen for RADIUS Accounting Messages.

3. Select OK.


To enable RADIUS access on the interface – CLI:

In this example, the port2 interface is used.

config system interface edit port2

set allowaccess radius-acct end


To create a RADIUS SSO agent:

1. Go to User & Device > Authentication > Single Sign-On and select Create New.

2. In Type, select RADIUS Single-Sign-On Agent.

3. Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.

4. Select Send RADIUS Responses.

5. Select OK.


To create a RADIUS SSO agent – CLI

config user radius edit RSSO_Agent

set rsso enable

set rsso-validate-request-secret enable set rsso-secret <your secret>

set rsso-radius-response enable end


Selecting which RADIUS attributes are used for RSSO

For RADIUS SSO to work, FortiOS needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where FortiOS expects this information, but you can change these attributes in the config user radius CLI command.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

2 thoughts on “SSO using RADIUS accounting records

  1. pj

    I seem to be having so much trouble getting this working. My wireless array (Xirrus) is configured to send accounting messages to my NAP server which is configured to forward accounting messages to the Fortigate. I’ve enabled packet sniffing on port 1813 and can see Accounting-Request packets being sent from the NAP server to Fortigate (although without the additional Class AVP I set) yet no users are listed under Firewall User Monitor. Really not sure how to proceed with this!

  2. Tom

    The below option is not available onf fortiOS 5.6.* How do I enable “Listen for Radius Accounting messages” on fortiOS 5.6.* Thanks!

    To enable RADIUS access on the interface – web-based manager:

    1. Go to System > Network > Interfaces and edit the interface to which the RADIUS server connected.

    2. Select Listen for RADIUS Accounting Messages.

    3. Select OK.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.