Fortinet black logo

Administration Guide

RADIUS single sign-on (RSSO) agent

RADIUS single sign-on (RSSO) agent

With RSSO, a FortiGate can authenticate users who have authenticated on a remote RADIUS server. Based on which user group the user belongs to, the security policy applies the appropriate UTM profiles.

The FortiGate does not interact with the remote RADIUS server; it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client). These records include the user IP address and user group. The remote RADIUS server sends the following accounting messages to the FortiGate:

Message

Action

Start If the information in the start message matches the RSSO configuration on the FortiGate, the user is added to the local list of authenticated firewall users.
Stop The user is removed from the local list of authenticated firewall users because the user session no longer exists on the RADIUS server.

You can configure an RSSO agent connector using the FortiOSGUI; however, in most cases, you will need to use the CLI. There are some default options you may need to modify, which can only be done in the CLI.

To configure an RSSO agent connector:
  1. Create the new connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New.
    3. In the Endpoint/Identity section, click RADIUS Single Sign-On Agent. The New Fabric Connector pane opens.
    4. Enter the connector name.
    5. Enable Use RADIUS Shared Secret.
      Note

      The value entered in Use RADIUS Shared Secret must be identical to what the remote RADIUS server uses to authenticate when it sends RADIUS accounting messages to the FortiGate.

    6. Enable Send RADIUS Responses.
      Tooltip

      You should enable Send RADIUS Responses because some RADIUS servers continue to send the same RADIUS accounting message several times if there is no response.

    7. Click OK.

  2. Edit the network interface:
    1. Go to Network > Interfaces.
    2. Double-click the interface that will receive the RADIUS accounting messages. The Edit Interface pane opens.
    3. In the Administrative Access section, select the RADIUS Accounting checkbox. This will open listening for port 1813 on this interface. The FortiGate will then be ready to receive RADIUS accounting messages.
    4. Click OK.

  3. Create a local RSSO user group:
    1. Go to User & Authentication > User Groups.
    2. Click Create New.
    3. Enter the group name.
    4. For the Type field, click RADIUS Single-Sign-ON (RSSO).
    5. Enter a value for RADIUS Attribute Value.

      This value by default is the class attribute. The FortiGate uses the content of this attribute in RADIUS accounting start messages to map a user to a FortiGate group, which then can be used in firewall policies.

      In this example configuration, the FortiGate will only add a remote RADIUS user to the local firewall user list if the class attribute in the RADIUS accounting START message contains the value group1.

      Note

      If your users are in multiple groups, you will need to add another local RSSO user group.

      Note

      If the RADIUS attribute value used to map users to a local RSSO group is different than the RADIUS attribute in the RADIUS accounting messages forwarded by the server, you must change it in the CLI.

    6. Click OK.

  4. Edit the local RSSO agent to modify default options using the CLI.

    For example, the default value for rsso-endpoint-attribute might work in common remote access scenarios where users are identified by their unique Calling-Station-Id, but in other scenarios the user name might be in a different attribute.

    config user radius
        edit "Local RSSO Agent"
            set rsso-endpoint-attribute <attribute>
            set sso-attribute <attribute>
        next
    end
  5. Add the local RSSO user group to a firewall policy.

Verifying the RSSO configuration

Verification requires a working remote RADIUS server configured for RADIUS accounting forwarding and wireless or wired clients that use RADIUS for user authentication.

For a quick test, you can use one of the publicly available RADIUS test tools to send RADIUS accounting start and stop messages to the FortiGate. You can also use radclient.

To verify the RSSO configuration:
  1. In radclient, enter the RADIUS attributes. These attributes are then executed with the FortiGate IP parameters (sends accounting messages to port 1813) and shared password you configured. -x is used for verbose output:
    root@ControlPC:~# echo "Acct-Status-Type =Start,Framed-Ip-Address=10.1.100.185,User-Name=test2,Acct-Session-Id=0211a4ef,Class=group1,Calling-Station-Id=00-0c-29-44-BE-B8" |  radclient -x 10.1.100.1 acct 123456                    
    Sending Accounting-Request of id 180 to 10.1.100.1 port 1813
            Acct-Status-Type = Start
            Framed-IP-Address = 10.1.100.185
            User-Name = "test2"
            Acct-Session-Id = "0211a4ef"
            Class = 0x67726f757031
            Calling-Station-Id = "00-0c-29-44-BE-B8"
    rad_recv: Accounting-Response packet from host 10.1.100.1 port 1813, id=180, length=20
    root@ControlPC:~#
  2. Verify that the user is in the local firewall user list with the correct type (rsso) and local firewall group (rsso-group1):
    # diagnose firewall auth l
    
    10.1.100.185, test2
            type: rsso, id: 0, duration: 5, idled: 5
            flag(10): radius
            server: vdom1
            packets: in 0 out 0, bytes: in 0 out 0
            group_id: 3
            group_name: rsso-group-1
    
    ----- 1 listed, 0 filtered ------					

RADIUS single sign-on (RSSO) agent

With RSSO, a FortiGate can authenticate users who have authenticated on a remote RADIUS server. Based on which user group the user belongs to, the security policy applies the appropriate UTM profiles.

The FortiGate does not interact with the remote RADIUS server; it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client). These records include the user IP address and user group. The remote RADIUS server sends the following accounting messages to the FortiGate:

Message

Action

Start If the information in the start message matches the RSSO configuration on the FortiGate, the user is added to the local list of authenticated firewall users.
Stop The user is removed from the local list of authenticated firewall users because the user session no longer exists on the RADIUS server.

You can configure an RSSO agent connector using the FortiOSGUI; however, in most cases, you will need to use the CLI. There are some default options you may need to modify, which can only be done in the CLI.

To configure an RSSO agent connector:
  1. Create the new connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New.
    3. In the Endpoint/Identity section, click RADIUS Single Sign-On Agent. The New Fabric Connector pane opens.
    4. Enter the connector name.
    5. Enable Use RADIUS Shared Secret.
      Note

      The value entered in Use RADIUS Shared Secret must be identical to what the remote RADIUS server uses to authenticate when it sends RADIUS accounting messages to the FortiGate.

    6. Enable Send RADIUS Responses.
      Tooltip

      You should enable Send RADIUS Responses because some RADIUS servers continue to send the same RADIUS accounting message several times if there is no response.

    7. Click OK.

  2. Edit the network interface:
    1. Go to Network > Interfaces.
    2. Double-click the interface that will receive the RADIUS accounting messages. The Edit Interface pane opens.
    3. In the Administrative Access section, select the RADIUS Accounting checkbox. This will open listening for port 1813 on this interface. The FortiGate will then be ready to receive RADIUS accounting messages.
    4. Click OK.

  3. Create a local RSSO user group:
    1. Go to User & Authentication > User Groups.
    2. Click Create New.
    3. Enter the group name.
    4. For the Type field, click RADIUS Single-Sign-ON (RSSO).
    5. Enter a value for RADIUS Attribute Value.

      This value by default is the class attribute. The FortiGate uses the content of this attribute in RADIUS accounting start messages to map a user to a FortiGate group, which then can be used in firewall policies.

      In this example configuration, the FortiGate will only add a remote RADIUS user to the local firewall user list if the class attribute in the RADIUS accounting START message contains the value group1.

      Note

      If your users are in multiple groups, you will need to add another local RSSO user group.

      Note

      If the RADIUS attribute value used to map users to a local RSSO group is different than the RADIUS attribute in the RADIUS accounting messages forwarded by the server, you must change it in the CLI.

    6. Click OK.

  4. Edit the local RSSO agent to modify default options using the CLI.

    For example, the default value for rsso-endpoint-attribute might work in common remote access scenarios where users are identified by their unique Calling-Station-Id, but in other scenarios the user name might be in a different attribute.

    config user radius
        edit "Local RSSO Agent"
            set rsso-endpoint-attribute <attribute>
            set sso-attribute <attribute>
        next
    end
  5. Add the local RSSO user group to a firewall policy.

Verifying the RSSO configuration

Verification requires a working remote RADIUS server configured for RADIUS accounting forwarding and wireless or wired clients that use RADIUS for user authentication.

For a quick test, you can use one of the publicly available RADIUS test tools to send RADIUS accounting start and stop messages to the FortiGate. You can also use radclient.

To verify the RSSO configuration:
  1. In radclient, enter the RADIUS attributes. These attributes are then executed with the FortiGate IP parameters (sends accounting messages to port 1813) and shared password you configured. -x is used for verbose output:
    root@ControlPC:~# echo "Acct-Status-Type =Start,Framed-Ip-Address=10.1.100.185,User-Name=test2,Acct-Session-Id=0211a4ef,Class=group1,Calling-Station-Id=00-0c-29-44-BE-B8" |  radclient -x 10.1.100.1 acct 123456                    
    Sending Accounting-Request of id 180 to 10.1.100.1 port 1813
            Acct-Status-Type = Start
            Framed-IP-Address = 10.1.100.185
            User-Name = "test2"
            Acct-Session-Id = "0211a4ef"
            Class = 0x67726f757031
            Calling-Station-Id = "00-0c-29-44-BE-B8"
    rad_recv: Accounting-Response packet from host 10.1.100.1 port 1813, id=180, length=20
    root@ControlPC:~#
  2. Verify that the user is in the local firewall user list with the correct type (rsso) and local firewall group (rsso-group1):
    # diagnose firewall auth l
    
    10.1.100.185, test2
            type: rsso, id: 0, duration: 5, idled: 5
            flag(10): radius
            server: vdom1
            packets: in 0 out 0, bytes: in 0 out 0
            group_id: 3
            group_name: rsso-group-1
    
    ----- 1 listed, 0 filtered ------