SSO using RADIUS accounting records

Creating security policies

RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple policies if user groups can have different UTM features enabled, different permitted services, schedules, and so on.

 

To create a security policy for RSSO – web-based manager:

1. Go to Policy & Objects > Policy > IPv4.

2. Select Create New.

3. Enter the following information.

 

  Incoming Interface as needed
Source Address as needed
Source User(s) Select the user groups you created for RSSO. See Defining local user groups for RADIUS SSO on page 598.
Outgoing Interface as needed
Destination Address all
Schedule as needed
Service as needed
Action ACCEPT
Enable NAT Selected
Security Profiles Select security profiles appropriate for the user group.
 

4.

 

Select OK.

 

 

To ensure an RSSO-related policy is matched first, the policy should be placed higher in the security policy list than more general policies for the same interfaces.

5. Select OK.

 

To create a security policy for RSSO – CLI:

In this example, an internal network to Internet policy enables web access for members of a student group and activates the appropriate UTM profiles.

config firewall policy edit 0

set srcintf internal set dstintf wan1

set srcaddr all set dstaddr “all” set action accept set rsso enable

set groups “RSSO-student” set schedule always

set service HTTP HTTPS

set nat enable

set utm-status enable set av-profile students

set webfilter-profile students set spamfilter-profile students set dlp-sensor default

set ips-sensor default

set application-list students

set profile-protocol-options “default” end

 

 

Example: webfiltering for student and teacher accounts

The following example uses RADIUS SSO to apply web filtering to students, but not to teachers. Assume that the RADIUS server is already configured to send RADIUS Start and Stop records to the FortiGate unit. There are two RADIUS user groups, students and teachers, recorded in the default attribute Class. The workstations are connected to port1, port2 connects to the RADIUS server, and port3 connects to the Internet.

 

Configure the student web filter profile:

1. Go to Security Profiles > Web Filter and select Create New (the “+” button).

2. Enter the following and select OK.

Name                                           student

Inspection Mode                       Proxy

FortiGuard Categories             Enable. Right-click the Potentially Liable category and select Block.

Repeat for Adult/Mature Content and Security Risk.

 

Create the RADIUS SSO agent:

1. Go to User & Device > Authentication > Single Sign-On and select Create New.

2. In Type, select RADIUS Single-Sign-On.

3. Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.

4. Select Send RADIUS Responses.

5. Select OK.

 

Define local user groups associated with the RADIUS SSO user groups:

1. Go to User & Device > User > User Groups and select Create New.

2. Enter the following and select OK.

Name                                           RSSO-students

Type                                            RADIUS Single Sign-On (RSSO)

RADIUS Attribute Value           students

3. Select Create New, enter the following and select OK.

Name                                           RSSO-teachers

Type                                            RADIUS Single Sign-On (RSSO)

RADIUS Attribute Value           teachers

 

Create a security policy for students:

1. Go to Policy & Objects > Policy > IPv4 and select Create New.

2. Enter

 

  Incoming Interface port1
Source Address all
Source User(s) RSSO-students
Source Device Type All
Outgoing Interface port3
Destination Address all
Schedule always
Service HTTP, HTTPS
Action ACCEPT
NAT ON
Security Profiles Enable AntiVirus, Web Filter, IPS.

 

In Web Filter, select the student profile.

 

3.

 

Select OK.

 

 

Create a security policy for teachers:

1. Go to Policy & Objects > Policy > IPv4 and select Create New.

2. Enter

Incoming Interface                   port2

Source Address                        all

Source User(s)                          RSSO-teachers

Source Device Type                 All

Outgoing Interface                   port3

Destination Address                 all

Schedule                                    always

Service                                       ALL

Action                                         ACCEPT

NAT                                             ON

Security Profiles                       Enable AntiVirus and IPS.

3. Select OK.

 

2 thoughts on “SSO using RADIUS accounting records

  1. pj

    I seem to be having so much trouble getting this working. My wireless array (Xirrus) is configured to send accounting messages to my NAP server which is configured to forward accounting messages to the Fortigate. I’ve enabled packet sniffing on port 1813 and can see Accounting-Request packets being sent from the NAP server to Fortigate (although without the additional Class AVP I set) yet no users are listed under Firewall User Monitor. Really not sure how to proceed with this!

    Reply
  2. Tom

    The below option is not available onf fortiOS 5.6.* How do I enable “Listen for Radius Accounting messages” on fortiOS 5.6.* Thanks!

    To enable RADIUS access on the interface – web-based manager:

    1. Go to System > Network > Interfaces and edit the interface to which the RADIUS server connected.

    2. Select Listen for RADIUS Accounting Messages.

    3. Select OK.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.