RSSO information and RADIUS attribute defaults
RSSO Information | RADIUS Attribute | CLI field |
Endpoint identifier |
Calling-Station-ID |
rsso-endpoint-attribute |
Endpoint block attribute |
Called-Station-ID |
rsso-endpoint-block- attribute |
User group |
Class |
sso-attribute |
The Endpoint block attribute can be used to block or allow a user. If the attribute value is set to the name of an attribute that indicates whether to block or allow, FortiOS blocks or allows respectively all traffic from that user’s IP address. The RSSO fields are visible only when rsso is set to enable.
Configuring logging for RSSO
In the config user radius CLI command, you can set the following flags in the rsso-log-flags field to determine which types of RSSO-related events are logged:
- protocol-error — A RADIUS protocol error occurred.
- profile-missing — FortiOS cannot find a user group name in a RADIUS start message that matches the name of an RSSO user group in FortiOS.
- accounting-stop-missed — a user context entry expired without FortiOS receiving a RADIUS Stop message.
- accounting-event — FortiOS did not find the expected information in a RADIUS record.
- endpoint-block — FortiOS blocked a user because the RADIUS record’s endpoint block attribute had the value “Block”.
- radiusd-other — Other events, described in the log message.
Defining local user groups for RADIUS SSO
You cannot use RADIUS user groups directly in security policies. Instead, you create locally-defined user groups on the FortiGate unit and associate each of them with a RADIUS user group.
To define local user groups for RADIUS SSO:
1. Go to User & Device > User > User Groups and select Create New.
2. Enter a Name for the user group.
3. In Type, select RADIUS Single Sign-On (RSSO).
4. In RADIUS Attribute Value, enter the name of the RADIUS user group this local user group represents.
5. Select OK.
To define local user groups for RADIUS SSO:
This example creates an RSSO user group called RSSO-1 that is associated with RADIUS user group “student”.
config user group edit RSSO-1
set group-type rsso
set sso-attribute-value student end
I seem to be having so much trouble getting this working. My wireless array (Xirrus) is configured to send accounting messages to my NAP server which is configured to forward accounting messages to the Fortigate. I’ve enabled packet sniffing on port 1813 and can see Accounting-Request packets being sent from the NAP server to Fortigate (although without the additional Class AVP I set) yet no users are listed under Firewall User Monitor. Really not sure how to proceed with this!
The below option is not available onf fortiOS 5.6.* How do I enable “Listen for Radius Accounting messages” on fortiOS 5.6.* Thanks!
To enable RADIUS access on the interface – web-based manager:
1. Go to System > Network > Interfaces and edit the interface to which the RADIUS server connected.
2. Select Listen for RADIUS Accounting Messages.
3. Select OK.