Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.1 Administration Guide
    7.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Configuring RADIUS SSO authentication

    Configuring RADIUS SSO authentication

    A common RADIUS SSO (RSSO) topology involves a medium-sized company network of users connecting to the Internet through the FortiGate and authenticating with a RADIUS server. The following describes how to configure FortiOS for this scenario. The example makes the following assumptions:

    • VDOMs are not enabled.
    • The super_admin account is used for all FortiGate configuration.
    • A RADIUS server is installed on a server or FortiAuthenticator and uses default attributes.
    • BGP is used for any dynamic routing.
    • You have configured authentication event logging under Log & Report.

    Example.com has an office with 20 users on the internal network who need access to the Internet. The office network is protected by a FortiGate-60C with access to the Internet through the wan1 interface, the user network on the internal interface, and all servers are on the DMZ interface. This includes an Ubuntu sever running FreeRADIUS. This example configures two users:

    User

    Account

    Pat Lee

    plee@example.com

    Kelly Green

    kgreen@example.com

    Configuring this example consists of the following steps:

    1. Configure RADIUS.
    2. Configure FortiGate interfaces.
    3. Configure a RSSO agent.
    4. Create a RSSO user group.
    5. Configure security policies.
    6. Test the configuration.
    To configure RADIUS:

    Configuring RADIUS includes configuring a RADIUS server such as FreeRADIUS on user's computers and configuring users in the system. In this example, Pat and Kelly belong to the exampledotcom_employees group. After completing the configuration, you must start the RADIUS daemon. The users have a RADIUS client installed on their PCs that allow them to authenticate through the RADIUS server.

    For any problems installing FreeRADIUS, see the FreeRADIUS documentation.

    To configure FortiGate interfaces:

    You must define a DHCP server for the internal network, as this network type typically uses DHCP. The wan1 and dmz interfaces are assigned static IP addresses and do not need a DHCP server. The following table shows the FortiGate interfaces used in this example:

    Interface Subnet Act as DHCP server Devices
    wan1 172.20.120.141 No Internet service provider
    dmz 10.11.101.100 No Servers including RADIUS server
    internal 10.11.102.100 Yes: x.x.x.110-250 Internal user network
    1. Go to Network > Interfaces.
    2. Edit wan1:

      Alias

      Internet

      Addressing Mode

      Manual

      IP/Network Mask

      172.20.120.141/255.255.255.0

      Administrative Access

      HTTPS, SSH

      Enable DHCP Server

      Not selected

      Comments

      Internet

      Administrative Status

      Up

    3. Click OK.
    4. Edit dmz:

      Alias

      Servers

      Addressing Mode

      Manual

      IP/Network Mask

      10.11.101.100/255.255.255.0

      Administrative Access

      HTTPS, SSH, PING, SNMP

      Enable DHCP Server

      Not selected

      Listen for RADIUS Accounting Messages

      Select

      Comments

      Servers

      Administrative Status

      Up

    5. Click OK.
    6. Edit internal:

      Alias

      Internal network

      Addressing Mode

      Manual

      IP/Network Mask

      10.11.102.100/255.255.255.0

      Administrative Access

      HTTPS, SSH, PING

      Enable DHCP Server

      Select

      Address Range

      10.11.102.110 - 10.11.102.250

      Netmask

      255.255.255.0

      Default Gateway

      Same as Interface IP

      Comments

      Internal network

      Administrative Status

      Up

    To create a RADIUS SSO agent:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New.
    3. Under Endpoint/Identity, select RADIUS Single Sign-On Agent.
    4. Enable Use RADIUS Shared Secret. Enter the RADIUS server's shared secret.
    5. Enable Send RADIUS Responses. Click OK.
    To create a RADIUS SSO user group:
    1. Go to User & Authentication > User Groups.
    2. Click Create New.
    3. For Type, select RADIUS Single Sign-On (RSSO).
    4. In RADIUS Attribute Value, enter the name of the RADIUS user group that this local user group represents.
    5. Click OK.

    Configuring security policies

    The following security policies are required for RADIUS SSO:

    Sequence Number

    From

    To

    Type

    Schedule

    Description

    1

    internal

    wan1

    RADIUS SSO

    Business hours

    Authenticate outgoing user traffic

    2

    internal

    wan1

    Regular

    Always

    Allow essential network services and VoIP

    3

    dmz

    wan1

    Regular

    Always

    Allow servers to access the Internet

    4

    internal

    dmz

    Regular

    Always

    Allow users to access servers

    5

    any

    any

    Deny

    Always

    Implicit policy denying all traffic that has not been matched

    You must place the RADIUS SSO policy at the top of the policy list so that it is matched first. The only exception to this is if you have a policy to deny access to a list of banned users. In this case, you must put that policy at the top so that the RADIUS SSO does not mistakenly match a banned user or IP address.

    You must configure lists before creating security policies.

    Schedule

    You must configure a business_hours schedule. You can configure a standard Monday to Friday 8 AM to 5 PM schedule, or whatever days and hours covers standard work hours at the company.

    Address groups

    You must configure the following address groups:

    Name

    Interface

    Address range included

    internal_network

    internal

    10.11.102.110 to 10.11.102.250

    company_servers

    dmz

    10.11.101.110 to 10.11.101.250

    Service groups

    You must configure the service groups. The services listed are suggestions and you may include more or less as required:

    Name

    Interface

    Description of services to be included

    essential_network_services

    internal

    Any network protocols required for normal network operation such as DNS, NTP, BGP

    essential_server_services

    dmz

    All the protocols required by the company servers such as BGP, HTTP, HTTPS, FTP, IMAP, POP3, SMTP, IKE, SQL, MYSQL, NTP, TRACEROUTE, SOCKs, and SNMP

    user_services

    internal

    Any protocols required by users such as HTTP, HTTPS, FTP

    The following security policy configurations are basic and only include logging and default AV and IPS. These policies allow or deny access to non-RADIUS SSO traffic. These are essential as network services including DNS, NTP, and FortiGuard require access to the Internet.

    To configure security policies:
    1. Go to Policy & Objects > Firewall Policy.
    2. Click Create New.
    3. Configure the policy as follows, then click OK:

      Incoming Interface

      Internal

      Source Address

      internal_network

      Outgoing Interface

      wan1

      Destination Address

      all

      Schedule

      always

      Service

      essential_network_services

      Action

      ACCEPT

      NAT

      ON

      Security Profiles

      ON: AntiVirus, IPS

      Log Allowed Traffic

      ON

      Comments

      Essential network services

    4. Click Create New, and configure the new policy as follows, then click OK:

      Incoming Interface

      dmz

      Source Address

      company_servers

      Outgoing Interface

      wan1

      Destination Address

      all

      Schedule

      always

      Service

      essential_server_services

      Action

      ACCEPT

      NAT

      ON

      Security Profiles

      ON: AntiVirus, IPS

      Log Allowed Traffic

      enable

      Comments

      Company servers accessing the Internet

    5. Click Create New, and configure the new policy as follows, then click OK:

      Incoming Interface

      Internal

      Source Address

      internal_network

      Outgoing Interface

      dmz

      Destination Address

      company_servers

      Schedule

      always

      Service

      all

      Action

      ACCEPT

      NAT

      ON

      Security Profiles

      ON: AntiVirus, IPS

      Log Allowed Traffic

      enable

      Comments

      Access company servers

    6. Click Create New, and configure the RADIUS SSO policy as follows, then click OK. This policy allows access for members of specific RADIUS groups.

      Incoming Interface

      Internal

      Source Address

      internal_network

      Source User(s)

      Select the user groups that you created for RSSO.

      Outgoing Interface

      wan1

      Destination Address

      all

      Schedule

      business_hours

      Service

      ALL

      Action

      ACCEPT

      NAT

      ON

      Security Profiles

      ON: AntiVirus, Web Filter, IPS, and Email Filter. In each case, select the default profile.

    7. Place the RSSO policy higher in the security policy list than more general policies for the same interfaces. Click OK.
    To test the configuration:

    Once configured, a user only needs to log in to their PC using their RADIUS account. After that, when they attempt to access the Internet, the FortiGate uses their session information to get their RADIUS information. Once the user is verified, they can access the website.

    1. The user logs on to their PC and tries to access the Internet.
    2. The FortiGate contacts the RADIUS server for the user's information. Once confirmed, the user can access the Internet. Each step generates logs that enable you to verify that each step succeeded.
    3. If a step does not succeed, confirm that your configuration is correct.

    Previous
    Next

    Configuring RADIUS SSO authentication

    Configuring RADIUS SSO authentication

    A common RADIUS SSO (RSSO) topology involves a medium-sized company network of users connecting to the Internet through the FortiGate and authenticating with a RADIUS server. The following describes how to configure FortiOS for this scenario. The example makes the following assumptions:

    • VDOMs are not enabled.
    • The super_admin account is used for all FortiGate configuration.
    • A RADIUS server is installed on a server or FortiAuthenticator and uses default attributes.
    • BGP is used for any dynamic routing.
    • You have configured authentication event logging under Log & Report.

    Example.com has an office with 20 users on the internal network who need access to the Internet. The office network is protected by a FortiGate-60C with access to the Internet through the wan1 interface, the user network on the internal interface, and all servers are on the DMZ interface. This includes an Ubuntu sever running FreeRADIUS. This example configures two users:

    User

    Account

    Pat Lee

    plee@example.com

    Kelly Green

    kgreen@example.com

    Configuring this example consists of the following steps:

    1. Configure RADIUS.
    2. Configure FortiGate interfaces.
    3. Configure a RSSO agent.
    4. Create a RSSO user group.
    5. Configure security policies.
    6. Test the configuration.
    To configure RADIUS:

    Configuring RADIUS includes configuring a RADIUS server such as FreeRADIUS on user's computers and configuring users in the system. In this example, Pat and Kelly belong to the exampledotcom_employees group. After completing the configuration, you must start the RADIUS daemon. The users have a RADIUS client installed on their PCs that allow them to authenticate through the RADIUS server.

    For any problems installing FreeRADIUS, see the FreeRADIUS documentation.

    To configure FortiGate interfaces:

    You must define a DHCP server for the internal network, as this network type typically uses DHCP. The wan1 and dmz interfaces are assigned static IP addresses and do not need a DHCP server. The following table shows the FortiGate interfaces used in this example:

    Interface Subnet Act as DHCP server Devices
    wan1 172.20.120.141 No Internet service provider
    dmz 10.11.101.100 No Servers including RADIUS server
    internal 10.11.102.100 Yes: x.x.x.110-250 Internal user network
    1. Go to Network > Interfaces.
    2. Edit wan1:

      Alias

      Internet

      Addressing Mode

      Manual

      IP/Network Mask

      172.20.120.141/255.255.255.0

      Administrative Access

      HTTPS, SSH

      Enable DHCP Server

      Not selected

      Comments

      Internet

      Administrative Status

      Up

    3. Click OK.
    4. Edit dmz:

      Alias

      Servers

      Addressing Mode

      Manual

      IP/Network Mask

      10.11.101.100/255.255.255.0

      Administrative Access

      HTTPS, SSH, PING, SNMP

      Enable DHCP Server

      Not selected

      Listen for RADIUS Accounting Messages

      Select

      Comments

      Servers

      Administrative Status

      Up

    5. Click OK.
    6. Edit internal:

      Alias

      Internal network

      Addressing Mode

      Manual

      IP/Network Mask

      10.11.102.100/255.255.255.0

      Administrative Access

      HTTPS, SSH, PING

      Enable DHCP Server

      Select

      Address Range

      10.11.102.110 - 10.11.102.250

      Netmask

      255.255.255.0

      Default Gateway

      Same as Interface IP

      Comments

      Internal network

      Administrative Status

      Up

    To create a RADIUS SSO agent:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New.
    3. Under Endpoint/Identity, select RADIUS Single Sign-On Agent.
    4. Enable Use RADIUS Shared Secret. Enter the RADIUS server's shared secret.
    5. Enable Send RADIUS Responses. Click OK.
    To create a RADIUS SSO user group:
    1. Go to User & Authentication > User Groups.
    2. Click Create New.
    3. For Type, select RADIUS Single Sign-On (RSSO).
    4. In RADIUS Attribute Value, enter the name of the RADIUS user group that this local user group represents.
    5. Click OK.

    Configuring security policies

    The following security policies are required for RADIUS SSO:

    Sequence Number

    From

    To

    Type

    Schedule

    Description

    1

    internal

    wan1

    RADIUS SSO

    Business hours

    Authenticate outgoing user traffic

    2

    internal

    wan1

    Regular

    Always

    Allow essential network services and VoIP

    3

    dmz

    wan1

    Regular

    Always

    Allow servers to access the Internet

    4

    internal

    dmz

    Regular

    Always

    Allow users to access servers

    5

    any

    any

    Deny

    Always

    Implicit policy denying all traffic that has not been matched

    You must place the RADIUS SSO policy at the top of the policy list so that it is matched first. The only exception to this is if you have a policy to deny access to a list of banned users. In this case, you must put that policy at the top so that the RADIUS SSO does not mistakenly match a banned user or IP address.

    You must configure lists before creating security policies.

    Schedule

    You must configure a business_hours schedule. You can configure a standard Monday to Friday 8 AM to 5 PM schedule, or whatever days and hours covers standard work hours at the company.

    Address groups

    You must configure the following address groups:

    Name

    Interface

    Address range included

    internal_network

    internal

    10.11.102.110 to 10.11.102.250

    company_servers

    dmz

    10.11.101.110 to 10.11.101.250

    Service groups

    You must configure the service groups. The services listed are suggestions and you may include more or less as required:

    Name

    Interface

    Description of services to be included

    essential_network_services

    internal

    Any network protocols required for normal network operation such as DNS, NTP, BGP

    essential_server_services

    dmz

    All the protocols required by the company servers such as BGP, HTTP, HTTPS, FTP, IMAP, POP3, SMTP, IKE, SQL, MYSQL, NTP, TRACEROUTE, SOCKs, and SNMP

    user_services

    internal

    Any protocols required by users such as HTTP, HTTPS, FTP

    The following security policy configurations are basic and only include logging and default AV and IPS. These policies allow or deny access to non-RADIUS SSO traffic. These are essential as network services including DNS, NTP, and FortiGuard require access to the Internet.

    To configure security policies:
    1. Go to Policy & Objects > Firewall Policy.
    2. Click Create New.
    3. Configure the policy as follows, then click OK:

      Incoming Interface

      Internal

      Source Address

      internal_network

      Outgoing Interface

      wan1

      Destination Address

      all

      Schedule

      always

      Service

      essential_network_services

      Action

      ACCEPT

      NAT

      ON

      Security Profiles

      ON: AntiVirus, IPS

      Log Allowed Traffic

      ON

      Comments

      Essential network services

    4. Click Create New, and configure the new policy as follows, then click OK:

      Incoming Interface

      dmz

      Source Address

      company_servers

      Outgoing Interface

      wan1

      Destination Address

      all

      Schedule

      always

      Service

      essential_server_services

      Action

      ACCEPT

      NAT

      ON

      Security Profiles

      ON: AntiVirus, IPS

      Log Allowed Traffic

      enable

      Comments

      Company servers accessing the Internet

    5. Click Create New, and configure the new policy as follows, then click OK:

      Incoming Interface

      Internal

      Source Address

      internal_network

      Outgoing Interface

      dmz

      Destination Address

      company_servers

      Schedule

      always

      Service

      all

      Action

      ACCEPT

      NAT

      ON

      Security Profiles

      ON: AntiVirus, IPS

      Log Allowed Traffic

      enable

      Comments

      Access company servers

    6. Click Create New, and configure the RADIUS SSO policy as follows, then click OK. This policy allows access for members of specific RADIUS groups.

      Incoming Interface

      Internal

      Source Address

      internal_network

      Source User(s)

      Select the user groups that you created for RSSO.

      Outgoing Interface

      wan1

      Destination Address

      all

      Schedule

      business_hours

      Service

      ALL

      Action

      ACCEPT

      NAT

      ON

      Security Profiles

      ON: AntiVirus, Web Filter, IPS, and Email Filter. In each case, select the default profile.

    7. Place the RSSO policy higher in the security policy list than more general policies for the same interfaces. Click OK.
    To test the configuration:

    Once configured, a user only needs to log in to their PC using their RADIUS account. After that, when they attempt to access the Internet, the FortiGate uses their session information to get their RADIUS information. Once the user is verified, they can access the website.

    1. The user logs on to their PC and tries to access the Internet.
    2. The FortiGate contacts the RADIUS server for the user's information. Once confirmed, the user can access the Internet. Each step generates logs that enable you to verify that each step succeeded.
    3. If a step does not succeed, confirm that your configuration is correct.

    Previous
    Next