Configuring RADIUS SSO authentication

A common RADIUS SSO (RSSO) topology involves a medium-sized company network of users connecting to the Internet through the FortiGate and authenticating with a RADIUS server. The following describes how to configure FortiOS for this scenario. The example makes the following assumptions:

  • VDOMs are not enabled.
  • The super_admin account is used for all FortiGate configuration.
  • A RADIUS server is installed on a server or FortiAuthenticator and uses default attributes.
  • BGP is used for any dynamic routing.
  • You have configured authentication event logging under Log & Report.

Example.com has an office with 20 users on the internal network who need access to the Internet. The office network is protected by a FortiGate-60C with access to the Internet through the wan1 interface, the user network on the internal interface, and all servers are on the DMZ interface. This includes an Ubuntu sever running FreeRADIUS. This example configures two users:

User

Account

Pat Lee

plee@example.com

Kelly Green

kgreen@example.com

Configuring this example consists of the following steps:

  1. Configure RADIUS.
  2. Configure FortiGate interfaces.
  3. Configure a RSSO agent.
  4. Create a RSSO user group.
  5. Configure security policies.
  6. Test the configuration.
To configure RADIUS:

Configuring RADIUS includes configuring a RADIUS server such as FreeRADIUS on user's computers and configuring users in the system. In this example, Pat and Kelly belong to the exampledotcom_employees group. After completing the configuration, you must start the RADIUS daemon. The users have a RADIUS client installed on their PCs that allow them to authenticate through the RADIUS server.

For any problems installing FreeRADIUS, see the FreeRADIUS documentation.

To configure FortiGate interfaces:

You must define a DHCP server for the internal network, as this network type typically uses DHCP. The wan1 and dmz interfaces are assigned static IP addresses and do not need a DHCP server. The following table shows the FortiGate interfaces used in this example:

Interface Subnet Act as DHCP server Devices
wan1 172.20.120.141 No Internet service provider
dmz 10.11.101.100 No Servers including RADIUS server
internal 10.11.102.100 Yes: x.x.x.110-250 Internal user network
  1. Go to Network > Interfaces.
  2. Edit wan1:

    Alias

    Internet

    Addressing Mode

    Manual

    IP/Network Mask

    172.20.120.141/255.255.255.0

    Administrative Access

    HTTPS, SSH

    Enable DHCP Server

    Not selected

    Comments

    Internet

    Administrative Status

    Up

  3. Click OK.
  4. Edit dmz:

    Alias

    Servers

    Addressing Mode

    Manual

    IP/Network Mask

    10.11.101.100/255.255.255.0

    Administrative Access

    HTTPS, SSH, PING, SNMP

    Enable DHCP Server

    Not selected

    Listen for RADIUS Accounting Messages

    Select

    Comments

    Servers

    Administrative Status

    Up

  5. Click OK.
  6. Edit internal:

    Alias

    Internal network

    Addressing Mode

    Manual

    IP/Network Mask

    10.11.102.100/255.255.255.0

    Administrative Access

    HTTPS, SSH, PING

    Enable DHCP Server

    Select

    Address Range

    10.11.102.110 - 10.11.102.250

    Netmask

    255.255.255.0

    Default Gateway

    Same as Interface IP

    Comments

    Internal network

    Administrative Status

    Up

To create a RADIUS SSO agent:
  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Under Endpoint/Identity, select RADIUS Single Sign-On Agent.
  4. Enable Use RADIUS Shared Secret. Enter the RADIUS server's shared secret.
  5. Enable Send RADIUS Responses. Click OK.
To create a RADIUS SSO user group:
  1. Go to User & Authentication > User Groups.
  2. Click Create New.
  3. For Type, select RADIUS Single Sign-On (RSSO).
  4. In RADIUS Attribute Value, enter the name of the RADIUS user group that this local user group represents.
  5. Click OK.

Configuring security policies

The following security policies are required for RADIUS SSO:

Sequence Number

From