Support for Okta RADIUS attributes filter-Id and class
RADIUS user group membership information can be returned in the filter-Id (11) and class (25) attributes in RADIUS Access-Accept messages. The group membership information can be used for group matching in FortiGate user groups in firewall policies and for FortiGate wildcard administrators with remote RADIUS authentication.
In this example, a FortiAuthenticator is used as the RADIUS server. A local RADIUS user on the FortiAuthenticator is configure with two groups in the filter-Id attribute: okta-group1 and okta-group2.
To create the RADIUS user and set the attribute type to override group information:
config user radius edit "FAC193" set server "10.1.100.189" set secret ********** set group-override-attr-type filter-Id next end
FortiOS will only use the configured filter-Id attribute, even if the RADIUS server sends group names in both class and filter-id attributes. To return group membership information from the class attribute instead, set
To configure group match in the user group:
- Go to User & Authentication > User Groups.
- Click Create New.
- Enter a name for the group, and set Type to Firewall.
- In the Remote Groups table, click Add.
- Set Remote Server to the just created RADIUS server, FAC193.
- Set Groups to Specify, and enter the group name,
okta-group2. The string must match the group name configured on the RADIUS server for the filter-Id attribute.
- Click OK.
The remote server is added to the Remote Groups table.
- Click OK.
- Add the new user group to a firewall policy and generate traffic on the client PC that requires firewall authentication, such as connecting to an external web server.
- After authentication, on the FortiGate, verify that traffic is authorized in the traffic log:
- Go to Log & Report > Forward Traffic.
- Verify that the traffic was authorized.
To use the remote user group with group match in a system wildcard administrator configuration:
- Go to System > Administrators.
- Edit an existing administrator, or create a new one.
- Set Type to Match all users in a remote server group.
- Set Remote User Group to the remote server.
- Configure the remaining settings as required.
- Click OK.
- Log in to the FortiGate using the remote user credentials on the RADIUS server.
If the correct group name is returned in the filter-Id attribute, administrative access is allowed.