A common RADIUS SSO (RSSO) topology involves a medium-sized company network of users connecting to the Internet through the FortiGate and authenticating with a RADIUS server. The following describes how to configure FortiOS for this scenario. The example makes the following assumptions:
- VDOMs are not enabled.
- The super_admin account is used for all FortiGate configuration.
- A RADIUS server is installed on a server or FortiAuthenticator and uses default attributes.
- BGP is used for any dynamic routing.
- You have configured authentication event logging under Log & Report.
Example.com has an office with 20 users on the internal network who need access to the Internet. The office network is protected by a FortiGate-60C with access to the Internet through the wan1 interface, the user network on the internal interface, and all servers are on the DMZ interface. This includes an Ubuntu sever running FreeRADIUS. This example configures two users:
|
User |
Account |
|---|---|
|
Pat Lee |
plee@example.com |
|
Kelly Green |
kgreen@example.com |
Configuring this example consists of the following steps:
- Configure RADIUS.
- Configure FortiGate interfaces.
- Configure a RSSO agent.
- Create a RSSO user group.
- Configure security policies.
- Test the configuration.
To configure RADIUS:
Configuring RADIUS includes configuring a RADIUS server such as FreeRADIUS on user's computers and configuring users in the system. In this example, Pat and Kelly belong to the exampledotcom_employees group. After completing the configuration, you must start the RADIUS daemon. The users have a RADIUS client installed on their PCs that allow them to authenticate through the RADIUS server.
For any problems installing FreeRADIUS, see the FreeRADIUS documentation.
To configure FortiGate interfaces:
You must define a DHCP server for the internal network, as this network type typically uses DHCP. The wan1 and dmz interfaces are assigned static IP addresses and do not need a DHCP server. The following table shows the FortiGate interfaces used in this example:
| Interface | Subnet | Act as DHCP server | Devices |
|---|---|---|---|
| wan1 | 172.20.120.141 | No | Internet service provider |
| dmz | 10.11.101.100 | No | Servers including RADIUS server |
| internal | 10.11.102.100 | Yes: x.x.x.110-250 | Internal user network |
- Go to Network > Interfaces.
- Edit wan1:
Alias
Internet
Addressing Mode
Manual
IP/Network Mask
172.20.120.141/255.255.255.0
Administrative Access
HTTPS, SSH
Enable DHCP Server
Not selected
Comments
Internet
Administrative Status
Up
- Click OK.
- Edit dmz:
Alias
Servers
Addressing Mode
Manual
IP/Network Mask
10.11.101.100/255.255.255.0
Administrative Access
HTTPS, SSH, PING, SNMP
Enable DHCP Server
Not selected
Listen for RADIUS Accounting Messages
Select
Comments
Servers
Administrative Status
Up
- Click OK.
- Edit internal:
Alias
Internal network
Addressing Mode
Manual
IP/Network Mask
10.11.102.100/255.255.255.0
Administrative Access
HTTPS, SSH, PING
Enable DHCP Server
Select
Address Range
10.11.102.110 - 10.11.102.250
Netmask
255.255.255.0
Default Gateway
Same as Interface IP
Comments
Internal network
Administrative Status
Up
To create a RADIUS SSO agent:
- Go to Security Fabric > External Connectors.
- Click Create New.
- Under Endpoint/Identity, select RADIUS Single Sign-On Agent.
- Enable Use RADIUS Shared Secret. Enter the RADIUS server's shared secret.
- Enable Send RADIUS Responses. Click OK.
To create a RADIUS SSO user group:
- Go to User & Authentication > User Groups.
- Click Create New.
- For Type, select RADIUS Single Sign-On (RSSO).
- In RADIUS Attribute Value, enter the name of the RADIUS user group that this local user group represents.
- Click OK.
Configuring security policies
The following security policies are required for RADIUS SSO:
|
Sequence Number |
From |
|---|