Using a comma as a group delimiter in RADIUS accounting messages
The set delimiter RADIUS option allows the FortiGate to set the RADIUS accounting message group delimiter to a comma (,) instead of a plus sign (+) when using RSSO. The default delimiter is still a plus sign.
config user radius
edit <name>
set delimiter {plus | comma}
next
end
Example
In this example, the FortiGate is configured for RSSO. The FortiGate will read accounting messages from the RADIUS server to determine which user is logged in to which group.
Two users, test1 and test2, belong to multiple groups. The RADIUS server sends accounting messages where groups are delimited by commas. With the comma delimiter, the FortiGate can parse the groups properly and assign users to the correct user group. User test1 belongs to the rsso1 group, and test2 belongs to the rsso-group group.
To configure a comma delimiter in RADIUS accounting messages:
- Configure the RADIUS server entry:
config user radius edit "rsso1" set rsso enable set rsso-radius-response enable set rsso-secret ********** set rsso-endpoint-attribute User-Name set delimiter comma next end - Configure the RSSO user groups:
config user group edit "rsso1" set group-type rsso set sso-attribute-value "group3" next edit "rsso-group" set group-type rsso set sso-attribute-value "group1" next end
Both users should be authenticated with the correct FortiGate RSSO groups. When the users log off and the FortiGate receives a RSSO logoff event notification, the users should be removed from the list of authenticated firewall users.
To verify that the users are parsed to the correct groups:
- Enable RADIUS debugging messages and verify the RADIUS accounting events:
# diagnose debug application radiusd -1 # diagnose debug enable ... Received radius accounting event vd 0:root Add/Update auth logon for IP 10.1.100.188 for user test1 DB 0 insert [ep='test1' pg='groupX,group5,group3' ip='10.1.100.188/32'] success Send accounting response Received radius accounting event vd 0:root Add/Update auth logon for IP 10.1.100.185 for user test2 DB 0 insert [ep='test2' pg='groupY,group6,group1' ip='10.1.100.185/32'] success Send accounting response
- Verify the list of authenticated firewall users:
# diagnose firewall auth list l 10.1.100.185, test2 type: rsso, id: 0, duration: 18, idled: 18 flag(10): radius server: root packets: in 0 out 3, bytes: in 0 out 152 group_id: 15 group_name: rsso-group 10.1.100.188, test1 type: rsso, id: 0, duration: 44, idled: 44 flag(10): radius server: root packets: in 0 out 0, bytes: in 0 out 0 group_id: 34 group_name: rsso1 ----- 2 listed, 0 filtered ------ - Once the RSSO logoff events are triggered, verify the RADIUS accounting events in the debugging messages:
... Received radius accounting event vd 0:root Remove auth logon for IP 10.1.100.188 for user test1 DB 0 remove by IP [ep='test1' pg='groupX,group5,group3' ip='10.1.100.188/32'] success Send accounting response Received radius accounting event vd 0:root Remove auth logon for IP 10.1.100.185 for user test2 DB 0 remove by IP [ep='test2' pg='groupY,group6,group1' ip='10.1.100.185/32'] success Send accounting response
- Verify the list of authenticated firewall users. Both users logged off, so there are no firewall users:
# diagnose firewall auth list l ----- 0 listed, 0 filtered ------