Accounting proxy
The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server, transforms them, and forwards them to multiple FortiGate or FortiMail devices for use in RADIUS Single Sign-On (RSSO). This differs from the packet use of RADIUS accounting (RADIUS accounting sources).
The accounting proxy needs to know:
- the rule sets to define or derive the RADIUS attributes that the FortiGate unit requires,
- the source of the RADIUS accounting records (i.e. the RADIUS server),
- and the destination(s) of the accounting records (i.e. the FortiGate units using this information for RSSO authentication).
General
General RADIUS accounting proxy settings can be configured by going to Authentication > RADIUS Service > Accounting Proxy and select General.
The following settings are available:
Select OK to apply your changes.
Rule sets
A rule set can contain multiple rules. Each rule can do one of the following:
- Add an attribute with a fixed value.
- Add an attribute retrieved from a user’s record on an LDAP server.
- Rename an attribute to make it acceptable to the accounting proxy destination.
FortiAuthenticator can store up to 25 rule sets. You can provide both a name and description to rule sets to help identify each rule set and their purpose.
Rules access RADIUS attributes of which there are both standard attributes and vendor-specific attributes (VSAs). To select a standard attribute, select the default vendor. See RADIUS attributes.
To view the accounting proxy rule set list, go to Authentication > RADIUS Service > Accounting Proxy and select Rule Sets.
To add RADIUS accounting proxy rule sets:
- From the rule set list, select Create New. The Create New Rule Set window opens.
- Enter the following information:
Name Enter a name to use when selecting this rule set for an accounting proxy destination. Description Optionally, enter a brief description of the rule’s purpose. Rules Enter one or more rules. Action The action for each rule can be either Add or Modify.
- Add: Add either a static value or a value derived from an LDAP server.
- Modify: Rename an attribute.
Attribute Select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
If the field is empty, no filtering is applied.
Attribute 2 If Action is set to Modify, a second attribute may be selected. The first attribute is renamed to the second attribute. Value type If the action is set to Add, select a value type from the dropdown menu.
- Static value: Adds the attribute in the Attribute field containing the static value in the Value field.
- Group names: Adds attribute in the Attribute field containing "Group names" from the group membership of the Username Attribute on the remote LDAP server.
Value If the action is set to Add and Value Type is set to Static value, enter the static value. Username attribute If the action is set to Add, and Value Type is not set to Static value, specify an attribute that provides the user’s name, or select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box. Remote LDAP If the attribute addition requires an LDAP server, select one from the dropdown menu. See LDAP for information on remote LDAP servers. Description A brief description of the rule is provided. Add Rule Select to add another rule to the rule set. Matching RADIUS Attributes
Controls which RADIUS accounting requests are proxied.
Select to add a RADIUS attribute.
Not
Enable to filter out non-proxied users.
Note: The option is disabled by default.
Vendor
From the dropdown, select a vendor.
Attribute ID
From the dropdown, select an attribute ID.
Value
Enter the attribute value.
Allow substring match
Enable to allow substring match.
Note: The option is disabled by default and only available for some attribute IDs.
Type
Displays the attribute type.
Note: The option is noneditable.
Add Matching RADIUS Attributes
Select to add another RADIUS attribute to the rule set.
- Select OK to create the new rule set.
Example rule set
The incoming accounting packets contain the following fields:
- User-Name
- NAS-IP-Address
- Fortinet-Client-IP-Address
The outgoing accounting packets need to have these fields:
- User-Name
- NAS-IP-Address
- Fortinet-Client-IP-Address
- Session-Timeout: Value is always 3600
- Fortinet-Group-Name: Value is obtained from user's group membership on remote LDAP
The rule set needs two rules to add Session-Timeout and Fortinet-Group-Name. The following image provides an example:
Sources
The RADIUS accounting proxy sources list can be viewed in Authentication > RADIUS Service > Accounting Proxy and select Proxy Sources. Sources can be added, edited, and deleted as needed. A maximum of 500 proxy sources can be configured.
To add a RADIUS accounting proxy source:
- From the source list, select Create New. The Create New RADIUS Accounting Proxy Source window opens.
- Enter the following information:
- Select OK to add the RADIUS accounting proxy source.
Destinations
The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users. When defining the destination, you also specify the source of the records (a RADIUS client already defined as a source) and the rule set to apply to the records.
To view the RADIUS accounting proxy destinations list, go to Authentication > RADIUS Service > Accounting Proxy and select Destinations. A maximum of 500 proxy destinations can be configured.
To add a RADIUS accounting proxy destinations:
- From the destinations list, select Create New. The Create New RADIUS Accounting Proxy Destination window opens.
- Enter the following information:
Name Enter a name to identify the destination device in your configuration. Destination name/IP Enter The FQDN or IP address of the FortiGate that will receive the RADIUS accounting records. Secret Enter the pre-shared key of the destination. Source Select a RADIUS client defined as a source from the dropdown menu. See Sources. Rule set Select an appropriate rule set from the dropdown menu or select Create New to create a new rule set. See Rule sets. - Select OK to add the RADIUS accounting proxy destination.