Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

Using a comma as a group delimiter in RADIUS accounting messages

The set delimiter RADIUS option allows the FortiGate to set the RADIUS accounting message group delimiter to a comma (,) instead of a plus sign (+) when using RSSO. The default delimiter is still a plus sign.

config user radius
    edit <name>
        set delimiter {plus | comma}
    next
end

Example

In this example, the FortiGate is configured for RSSO. The FortiGate will read accounting messages from the RADIUS server to determine which user is logged in to which group.

Two users, test1 and test2, belong to multiple groups. The RADIUS server sends accounting messages where groups are delimited by commas. With the comma delimiter, the FortiGate can parse the groups properly and assign users to the correct user group. User test1 belongs to the rsso1 group, and test2 belongs to the rsso-group group.

To configure a comma delimiter in RADIUS accounting messages:
  1. Configure the RADIUS server entry:
    config user radius
        edit "rsso1"
            set rsso enable
            set rsso-radius-response enable
            set rsso-secret **********
            set rsso-endpoint-attribute User-Name
            set delimiter comma
        next
    end
  2. Configure the RSSO user groups:
    config user group
    	edit "rsso1"
            set group-type rsso
            set sso-attribute-value "group3"
    	next
    	edit "rsso-group"
            set group-type rsso
            set sso-attribute-value "group1"
        next
    end

Both users should be authenticated with the correct FortiGate RSSO groups. When the users log off and the FortiGate receives a RSSO logoff event notification, the users should be removed from the list of authenticated firewall users.

To verify that the users are parsed to the correct groups:
  1. Enable RADIUS debugging messages and verify the RADIUS accounting events:
    # diagnose debug application radiusd -1
    # diagnose debug enable 
    ...
    Received radius accounting event
    vd 0:root Add/Update auth logon for IP 10.1.100.188 for user test1
    DB 0 insert [ep='test1' pg='groupX,group5,group3' ip='10.1.100.188/32'] success
    Send accounting response
    Received radius accounting event
    vd 0:root Add/Update auth logon for IP 10.1.100.185 for user test2
    DB 0 insert [ep='test2' pg='groupY,group6,group1' ip='10.1.100.185/32'] success
    Send accounting response
  2. Verify the list of authenticated firewall users:
    # diagnose firewall auth list l
    
    10.1.100.185, test2
            type: rsso, id: 0, duration: 18, idled: 18
            flag(10): radius
            server: root
            packets: in 0 out 3, bytes: in 0 out 152
            group_id: 15
            group_name: rsso-group
    10.1.100.188, test1
            type: rsso, id: 0, duration: 44, idled: 44
            flag(10): radius
            server: root
            packets: in 0 out 0, bytes: in 0 out 0
            group_id: 34
            group_name: rsso1
    
    ----- 2 listed, 0 filtered ------
  3. Once the RSSO logoff events are triggered, verify the RADIUS accounting events in the debugging messages:
    ...
    Received radius accounting event
    vd 0:root Remove auth logon for IP 10.1.100.188 for user test1
    DB 0 remove by IP [ep='test1' pg='groupX,group5,group3' ip='10.1.100.188/32'] success
    Send accounting response
    Received radius accounting event
    vd 0:root Remove auth logon for IP 10.1.100.185 for user test2
    DB 0 remove by IP [ep='test2' pg='groupY,group6,group1' ip='10.1.100.185/32'] success
    Send accounting response
  4. Verify the list of authenticated firewall users. Both users logged off, so there are no firewall users:
    # diagnose firewall auth list l
    
    ----- 0 listed, 0 filtered ------

Using a comma as a group delimiter in RADIUS accounting messages

The set delimiter RADIUS option allows the FortiGate to set the RADIUS accounting message group delimiter to a comma (,) instead of a plus sign (+) when using RSSO. The default delimiter is still a plus sign.

config user radius
    edit <name>
        set delimiter {plus | comma}
    next
end

Example

In this example, the FortiGate is configured for RSSO. The FortiGate will read accounting messages from the RADIUS server to determine which user is logged in to which group.

Two users, test1 and test2, belong to multiple groups. The RADIUS server sends accounting messages where groups are delimited by commas. With the comma delimiter, the FortiGate can parse the groups properly and assign users to the correct user group. User test1 belongs to the rsso1 group, and test2 belongs to the rsso-group group.

To configure a comma delimiter in RADIUS accounting messages:
  1. Configure the RADIUS server entry:
    config user radius
        edit "rsso1"
            set rsso enable
            set rsso-radius-response enable
            set rsso-secret **********
            set rsso-endpoint-attribute User-Name
            set delimiter comma
        next
    end
  2. Configure the RSSO user groups:
    config user group
    	edit "rsso1"
            set group-type rsso
            set sso-attribute-value "group3"
    	next
    	edit "rsso-group"
            set group-type rsso
            set sso-attribute-value "group1"
        next
    end

Both users should be authenticated with the correct FortiGate RSSO groups. When the users log off and the FortiGate receives a RSSO logoff event notification, the users should be removed from the list of authenticated firewall users.

To verify that the users are parsed to the correct groups:
  1. Enable RADIUS debugging messages and verify the RADIUS accounting events:
    # diagnose debug application radiusd -1
    # diagnose debug enable 
    ...
    Received radius accounting event
    vd 0:root Add/Update auth logon for IP 10.1.100.188 for user test1
    DB 0 insert [ep='test1' pg='groupX,group5,group3' ip='10.1.100.188/32'] success
    Send accounting response
    Received radius accounting event
    vd 0:root Add/Update auth logon for IP 10.1.100.185 for user test2
    DB 0 insert [ep='test2' pg='groupY,group6,group1' ip='10.1.100.185/32'] success
    Send accounting response
  2. Verify the list of authenticated firewall users:
    # diagnose firewall auth list l
    
    10.1.100.185, test2
            type: rsso, id: 0, duration: 18, idled: 18
            flag(10): radius
            server: root
            packets: in 0 out 3, bytes: in 0 out 152
            group_id: 15
            group_name: rsso-group
    10.1.100.188, test1
            type: rsso, id: 0, duration: 44, idled: 44
            flag(10): radius
            server: root
            packets: in 0 out 0, bytes: in 0 out 0
            group_id: 34
            group_name: rsso1
    
    ----- 2 listed, 0 filtered ------
  3. Once the RSSO logoff events are triggered, verify the RADIUS accounting events in the debugging messages:
    ...
    Received radius accounting event
    vd 0:root Remove auth logon for IP 10.1.100.188 for user test1
    DB 0 remove by IP [ep='test1' pg='groupX,group5,group3' ip='10.1.100.188/32'] success
    Send accounting response
    Received radius accounting event
    vd 0:root Remove auth logon for IP 10.1.100.185 for user test2
    DB 0 remove by IP [ep='test2' pg='groupY,group6,group1' ip='10.1.100.185/32'] success
    Send accounting response
  4. Verify the list of authenticated firewall users. Both users logged off, so there are no firewall users:
    # diagnose firewall auth list l
    
    ----- 0 listed, 0 filtered ------