Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiProxy Authentication Guide

    Home FortiProxy 2.0.2 FortiProxy Authentication Guide
    2.0.2
    7.6.0
    7.4.0
    7.2.0
    2.0.2

    SSO using RADIUS accounting records

    SSO using RADIUS accounting records

    A FortiProxy unit can authenticate users transparently who have already authenticated on an external RADIUS server. Based on the user group to which the user belongs, the security policy applies the appropriate profiles. RADIUS SSO (RSSO) is relatively simple because the FortiProxy unit does not interact with the RADIU server, it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client). These records include the user’s IP address and user group.

    After the initial setup, changes to the user database, including changes to user group memberships, are made on the external RADIUS server, not on the FortiProxy unit.

    The following are the general steps to implement RADIUS Single Sign-On:

    1. If necessary, configure your RADIUS server. The user database needs to include user group information and the server needs to send accounting messages.
    2. Create the FortiProxy RADIUS SSO agent.
    3. Define local user groups that map to RADIUS groups.
    4. Create an authentication scheme.
    5. Create an authentication rule.
    6. Create a security policy that specifies the user groups that are permitted access.

    Step 1: Configure your RADIUS server

    You need to allow RADIUS accounting information on the interface that connects to the RADIUS server.

    config system interface

    edit port1

    set allowaccess ping https ssh snmp http telnet radius-acct

    end

    Step 2: Create the FortiProxy RADIUS SSO agent

    After you define a RADIUS SSO (RSSO) agent, the FortiProxy unit will accept user logon information from any RADIUS server that has the same shared secret.

    For RADIUS SSO to work, the FortiProxy unit needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where the FortiProxy unit expects this information, but you can change these attributes in the config user radius CLI command.

    The Endpoint block attribute (rsso-endpoint-blockattribute) can be used to block or allow a user.

    You can set the following flags in the rsso-log-flags field to determine which types of RSSO-related events are logged:

    • protocol-error—A RADIUS protocol error occurred.
    • profile-missing—The FortiProxy unit cannot find a user group name in a RADIUS start message that matches the name of an RSSO user group in the FortiProxy unit.
    • accounting-stop-missed—a user context entry expired without the FortiProxy unit receiving a RADIUS Stop message.
    • accounting-event—The FortiProxy unit did not find the expected information in a RADIUS record.
    • endpoint-block—The FortiProxy unit blocked a user because the RADIUS record’s endpoint block attribute had the value “Block”.
    • radiusd-other—Other events, described in the log message.

    config user radius

    edit "rsso_agent"

    set timeout 5

    set radius-coa disable

    set h3c-compatibility disable

    set username-case-sensitive disable

    set password-renewal disable

    set password-encoding auto

    set rsso enable

    set rsso-radius-server-port 1813

    set rsso-radius-response enable

    set rsso-validate-request-secret enable

    set rsso-secret ENC hmIbfaxpWNCebo/+Fk1cOswB1LHNQqQONJNHlDbZIdQ9PaPOo/NvhNyYz/GjKMtAx9USsiznqj32tiHTrma2+NhiOQw1swfT0K/iROrpdu6QFXIXUpkMmbBR7tHZmtkOAexSXptI2nZtnhL2kZ1isRMmIsol3GNLLiuz2cn1JhQ7uT9EkipKyjHZdDvn56YJcIe4+Q==

    set rsso-endpoint-attribute Calling-Station-Id

    unset rsso-endpoint-block-attribute

    set sso-attribute Class

    set sso-attribute-key ''

    set sso-attribute-value-override enable

    set rsso-context-timeout 28800

    set rsso-log-period 0

    set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other

    set rsso-flush-ip-session disable

    set rsso-ep-one-ip-only disable

    next

    end

    Step 3: Define local user groups that map to RADIUS groups

    You cannot use RADIUS user groups directly in security policies. Instead, you create locally defined user groups on the FortiProxy unit and associate each of them with a RADIUS user group.

    This example creates an RSSO user group called RSSO-1 that is associated with RADIUS user group student.

    config user group

    edit RSSO-1

    set group-type rsso

    set sso-attribute-value student

    end

    Step 4: Create an authentication scheme

    config authentication scheme

    edit "rsso"

    set method rsso

    next

    end

    Step 5: Create an authentication rule

    config authentication rule

    edit rsso_r1

    set srcintf port1

    set srcaddr all

    set dstaddr all

    set sso-auth-method rsso

    end

    Step 6: Create a security policy

    RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple policies if user groups can have different UTM features enabled, different permitted services, schedules, and so on.

    config firewall policy

    edit 3

    set type explicit-web

    set explicit-web-proxy "web-proxy"

    set dstintf "any"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "webproxy"

    set groups "RSSO-1"

    set utm-status enable

    next

    end

    Previous
    Next

    SSO using RADIUS accounting records

    SSO using RADIUS accounting records

    A FortiProxy unit can authenticate users transparently who have already authenticated on an external RADIUS server. Based on the user group to which the user belongs, the security policy applies the appropriate profiles. RADIUS SSO (RSSO) is relatively simple because the FortiProxy unit does not interact with the RADIU server, it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client). These records include the user’s IP address and user group.

    After the initial setup, changes to the user database, including changes to user group memberships, are made on the external RADIUS server, not on the FortiProxy unit.

    The following are the general steps to implement RADIUS Single Sign-On:

    1. If necessary, configure your RADIUS server. The user database needs to include user group information and the server needs to send accounting messages.
    2. Create the FortiProxy RADIUS SSO agent.
    3. Define local user groups that map to RADIUS groups.
    4. Create an authentication scheme.
    5. Create an authentication rule.
    6. Create a security policy that specifies the user groups that are permitted access.

    Step 1: Configure your RADIUS server

    You need to allow RADIUS accounting information on the interface that connects to the RADIUS server.

    config system interface

    edit port1

    set allowaccess ping https ssh snmp http telnet radius-acct

    end

    Step 2: Create the FortiProxy RADIUS SSO agent

    After you define a RADIUS SSO (RSSO) agent, the FortiProxy unit will accept user logon information from any RADIUS server that has the same shared secret.

    For RADIUS SSO to work, the FortiProxy unit needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where the FortiProxy unit expects this information, but you can change these attributes in the config user radius CLI command.

    The Endpoint block attribute (rsso-endpoint-blockattribute) can be used to block or allow a user.

    You can set the following flags in the rsso-log-flags field to determine which types of RSSO-related events are logged:

    • protocol-error—A RADIUS protocol error occurred.
    • profile-missing—The FortiProxy unit cannot find a user group name in a RADIUS start message that matches the name of an RSSO user group in the FortiProxy unit.
    • accounting-stop-missed—a user context entry expired without the FortiProxy unit receiving a RADIUS Stop message.
    • accounting-event—The FortiProxy unit did not find the expected information in a RADIUS record.
    • endpoint-block—The FortiProxy unit blocked a user because the RADIUS record’s endpoint block attribute had the value “Block”.
    • radiusd-other—Other events, described in the log message.

    config user radius

    edit "rsso_agent"

    set timeout 5

    set radius-coa disable

    set h3c-compatibility disable

    set username-case-sensitive disable

    set password-renewal disable

    set password-encoding auto

    set rsso enable

    set rsso-radius-server-port 1813

    set rsso-radius-response enable

    set rsso-validate-request-secret enable

    set rsso-secret ENC hmIbfaxpWNCebo/+Fk1cOswB1LHNQqQONJNHlDbZIdQ9PaPOo/NvhNyYz/GjKMtAx9USsiznqj32tiHTrma2+NhiOQw1swfT0K/iROrpdu6QFXIXUpkMmbBR7tHZmtkOAexSXptI2nZtnhL2kZ1isRMmIsol3GNLLiuz2cn1JhQ7uT9EkipKyjHZdDvn56YJcIe4+Q==

    set rsso-endpoint-attribute Calling-Station-Id

    unset rsso-endpoint-block-attribute

    set sso-attribute Class

    set sso-attribute-key ''

    set sso-attribute-value-override enable

    set rsso-context-timeout 28800

    set rsso-log-period 0

    set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other

    set rsso-flush-ip-session disable

    set rsso-ep-one-ip-only disable

    next

    end

    Step 3: Define local user groups that map to RADIUS groups

    You cannot use RADIUS user groups directly in security policies. Instead, you create locally defined user groups on the FortiProxy unit and associate each of them with a RADIUS user group.

    This example creates an RSSO user group called RSSO-1 that is associated with RADIUS user group student.

    config user group

    edit RSSO-1

    set group-type rsso

    set sso-attribute-value student

    end

    Step 4: Create an authentication scheme

    config authentication scheme

    edit "rsso"

    set method rsso

    next

    end

    Step 5: Create an authentication rule

    config authentication rule

    edit rsso_r1

    set srcintf port1

    set srcaddr all

    set dstaddr all

    set sso-auth-method rsso

    end

    Step 6: Create a security policy

    RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple policies if user groups can have different UTM features enabled, different permitted services, schedules, and so on.

    config firewall policy

    edit 3

    set type explicit-web

    set explicit-web-proxy "web-proxy"

    set dstintf "any"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "webproxy"

    set groups "RSSO-1"

    set utm-status enable

    next

    end

    Previous
    Next