RADIUS accounting
If required, SSO can be based on RADIUS accounting records. The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server or network device, such as a wireless controller, collects additional group information, and then inserts it into FSSO for use by multiple FortiGate devices for identity based policies.
The FortiAuthenticator must be configured as a RADIUS accounting client to the RADIUS server.
To view the RADIUS accounting SSO client list, go to Fortinet SSO > Methods > RADIUS Accounting.
To configure and enable a RADIUS accounting client:
- From the RADIUS accounting SSO client list, select Create New. The Create New RADIUS Accounting SSO Client window opens.
- Enter the following information:
Name Enter a name in the Name field to identify the RADIUS accounting client on the FortiAuthenticator. Client name/IP Enter the RADIUS accounting client’s FQDN or IP address. Secret Enter the RADIUS accounting client’s pre-shared key. Description Optionally, enter a description of the client. SSO user type Specify the type of user that the client will provide:
External: Users not defined on FortiAuthenticator.
User groups are retrieved from the source.
Local users: Users defined on FortiAuthenticator as local users.
Users groups are retrieved from the local groups.
Remote users: Users defined on a remote LDAP server.
User groups are retrieved form the remote LDAP server.
From the dropdown, select a remote LDAP server.
Strip off prefix or suffix from username if any Enable to strip prefixes and suffixes from the SSO usernames. RADIUS Attributes If required, customize the username, client IP, and user group RADIUS attributes to match the ones used in the incoming RADIUS accounting records. See RADIUS attributes. - Select Save to apply the changes.
- Enable RADIUS accounting SSO clients by going to Fortinet SSO > Settings > Methods and selecting RADIUS Accounting SSO clients. See Methods.