RADIUS single sign-on agent

With RADIUS single sign-on (RSSO), a FortiGate can authenticate users who have authenticated on a remote RADIUS server. Based on which user group the user belongs to, the security policy applies the appropriate UTM profiles.

The FortiGate does not interact with the remote RADIUS server; it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client). These records include the user IP address and user group. The remote RADIUS server sends the following accounting messages to the FortiGate:

Message

Action

Start If the information in the start message matches the RSSO configuration on the FortiGate, the user is added to the local list of authenticated firewall users.
Stop The user is removed from the local list of authenticated firewall users because the user session no longer exists on the RADIUS server.

You can configure an RSSO agent connector using the FortiOSGUI; however, in most cases, you will need to use the CLI. There are some default options you may need to modify, which can only be done in the CLI.

To configure an RSSO agent connector:
  1. Create the new connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New.
    3. In the Endpoint/Identity section, click RADIUS Single Sign-On Agent. The New Fabric Connector pane opens.
    4. Enter the connector name.
    5. Enable Use RADIUS Shared Secret.
      Note

      The value entered in Use RADIUS Shared Secret must be identical to what the remote RADIUS server uses to authenticate when it sends RADIUS accounting messages to the FortiGate.

    6. Enable Send RADIUS Responses.