SSO using RADIUS accounting records

RSSO information and RADIUS attribute defaults

 

RSSO Information RADIUS Attribute CLI field
 

Endpoint identifier

 

Calling-Station-ID

 

rsso-endpoint-attribute

 

Endpoint block attribute

 

Called-Station-ID

 

rsso-endpoint-block- attribute

 

User group

 

Class

 

sso-attribute

 

The Endpoint block attribute can be used to block or allow a user. If the attribute value is set to the name of an attribute that indicates whether to block or allow, FortiOS blocks or allows respectively all traffic from that user’s IP address. The RSSO fields are visible only when rsso is set to enable.

 

Configuring logging for RSSO

In the config user radius CLI command, you can set the following flags in the rsso-log-flags field to determine which types of RSSO-related events are logged:

  • protocol-error — A RADIUS protocol error occurred.
  • profile-missing — FortiOS cannot find a user group name in a RADIUS start message that matches the name of an RSSO user group in FortiOS.
  • accounting-stop-missed — a user context entry expired without FortiOS receiving a RADIUS Stop message.
  • accounting-event — FortiOS did not find the expected information in a RADIUS record.
  • endpoint-block — FortiOS blocked a user because the RADIUS record’s endpoint block attribute had the value “Block”.
  • radiusd-other — Other events, described in the log message.

 

 

Defining local user groups for RADIUS SSO

You cannot use RADIUS user groups directly in security policies. Instead, you create locally-defined user groups on the FortiGate unit and associate each of them with a RADIUS user group.

 

To define local user groups for RADIUS SSO:

1. Go to User & Device > User > User Groups and select Create New.

2. Enter a Name for the user group.

3. In Type, select RADIUS Single Sign-On (RSSO).

4. In RADIUS Attribute Value, enter the name of the RADIUS user group this local user group represents.

5. Select OK.

 

 

To define local user groups for RADIUS SSO:

This example creates an RSSO user group called RSSO-1 that is associated with RADIUS user group “student”.

config user group edit RSSO-1

set group-type rsso

set sso-attribute-value student end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

2 thoughts on “SSO using RADIUS accounting records

  1. pj

    I seem to be having so much trouble getting this working. My wireless array (Xirrus) is configured to send accounting messages to my NAP server which is configured to forward accounting messages to the Fortigate. I’ve enabled packet sniffing on port 1813 and can see Accounting-Request packets being sent from the NAP server to Fortigate (although without the additional Class AVP I set) yet no users are listed under Firewall User Monitor. Really not sure how to proceed with this!

    Reply
  2. Tom

    The below option is not available onf fortiOS 5.6.* How do I enable “Listen for Radius Accounting messages” on fortiOS 5.6.* Thanks!

    To enable RADIUS access on the interface – web-based manager:

    1. Go to System > Network > Interfaces and edit the interface to which the RADIUS server connected.

    2. Select Listen for RADIUS Accounting Messages.

    3. Select OK.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.