RADIUS SSO example
A common RADIUS SSO topology involves a medium sized company network of users connecting to the Internet through the FortiGate unit, and authenticating with a RADIUS server. RADIUS SSO authentication was selected because it is fast and relatively easy to configure.
This section includes:
- Assumptions
- Topology
- Configuring RADIUS
- Configuring FortiGate regular and RADIUS SSO security policies
- Testing
Assumptions
- VDOMs are not enabled
- The admin super_admin administrator account will be used for all FortiGate unit configuration.
- Any other devices on the network do not affect the topology of this example, and therefore are not included.
- Anywhere settings are not described, they are assumed to be default values.
- A RADIUS server is installed on a server or FortiAuthenticator unit and uses default attributes.
- BGP is used for any dynamic routing.
- Authentication event logging under Log&Report has been configured.
Topology
Example.com has an office with 20 users on the internal network. These users need access to the Internet to do their jobs. The office network is protected by a FortiGate-60C unit with access to the Internet through the wan1 interface, the user network on the internal interface, and all the servers are on the DMZ interface. This includes an Ubuntu Linux server running FreeRADIUS. For this example only two users will be configured — Pat Lee with an account name plee, or plee@example.com, and Kelly Green with an account name kgreen, or kgreen@example.com.
RADIUS SSO topology
Configuring RADIUS
Configuring RADIUS includes configuring the RADIUS server such as FreeRADIUS, a radius client on user’s computers, and configuring users in the system. For this example the two users will be Pat Lee, and Kelly Green. They belong to a group called exampledotcom_employees. When it is all configured, the RADIUS daemon needs to started.
The users have a RADIUS client installed on their PCs that allows them to authenticate through the RADIUS server.
FreeRADIUS can be found on the freeradius.org website. For any problems installing FreeRADIUS, see the FreeRADIUS documentation.
Configuring FortiGate interfaces
Before configuring the RADIUS SSO security policy, configure FortiGate interfaces. This includes defining a DHCP server for the internal network as this type of network typically uses DHCP. The wan1 and dmz interfaces are assigned static IP addresses and do not need a DHCP server.
FortiGate interfaces used in this example
| Interface | Subnet | Act as DHCP Server | Devices |
| wan1 | 172.20.120.141 | No | Internet Service Provider |
| dmz | 10.11.101.100 | No | Servers, including RADIUS server |
| internal | 10.11.102.100 | Yes: x.x.x.110-.250 | Internal user network |
To configure FortiGate interfaces – web-based manager:
- Go to Network > Interfaces.
- Select wan1 to edit.
- Enter the following information and select OK.
| Alias | Internet |
| Addressing Mode | Manual |
| IP/Network Mask | 172.20.120.141/255.255.255.0 |
| Administrative Access | HTTPS, SSH |
| Enable DHCP Server | Not selected |
| Comments | Internet |
| Administrative Status | Up |
- Select dmz to edit.
- Enter the following information and select OK.
| Alias | Servers |
| Addressing Mode | Manual |
| IP/Network Mask | 10.11.101.100/255.255.255.0 |
| Administrative Access | HTTPS, SSH, PING, SNMP |
| Enable DHCP Server | Not selected |
| Listen for RADIUS
Accounting Messages |
Select |
| Comments | Servers |
| Administrative Status | Up |
- Select internal to edit.
- Enter the following information and select OK.
| Alias | Internal network | |
| Addressing Mode | Manual | |
| IP/Network Mask | 10.11.102.100/255.255.255.0 | |
| Administrative Access | HTTPS, SSH, PING | |
| Enable DHCP Server | Select | |
| Address Range | 10.11.102.110 – 10.11.102.250 | |
| Netmask | 255.255.255.0 | |
| Default Gateway | Same as Interface IP | |
| DNS Server | Same as System DNS | |
| Comments | Internal network | |
| Administrative Status | Up | |
Configuring a RADIUS SSO Agent on the FortiGate unit
To create a RADIUS SSO agent:
- Go to User & Device > Single Sign-On and select Create New.
- In Type, select RADIUS Single-Sign-On Agent.
- Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.
- Select Send RADIUS Responses.
- Select OK.
The Single Sign-On agent is named RSSO_Agent.
Creating a RADIUS SSO user group
To define a local user group for RADIUS SSO:
- Go to User & Device > User Groups and select Create New.
- Enter a Name for the user group.
- In Type, select RADIUS Single Sign-On (RSSO).
- In RADIUS Attribute Value, enter the name of the RADIUS user group this local user group represents.
- Select OK.
Configuring FortiGate regular and RADIUS SSO security policies
With the RADIUS server and FortiGate interfaces configured, security policies can be configured. This includes both RADIUS SSO and regular policies, as well as addresses and address groups. All policies require NAT to be enabled.
Security policies required for RADIUS SSO
| Seq. No. | From -> To | Type | Schedule | Description | ||
| 1 | internal -> wan1 | RADIUS SSO | business hours | Authenticate outgoing user traffic. | ||
| 2 | internal -> wan1 | regular | always | Allow essential network services and VoIP. | ||
| 3 | dmz -> wan1 | regular | always | Allow servers to access Internet. | ||
| 4 | internal ->
dmz |
regular | always | Allow users to access servers. | ||
| Seq. No. | From -> To | Type | Schedule | Description | ||
| 5 | any -> any | deny | always | Implicit policy denying all traffic that hasn’t been matched. | ||
The RADIUS SSO policy must be placed at the top of the policy list so it is matched first. The only exception to this is if you have a policy to deny access to a list of banned users. In this case, that policy must go at the top so the RADIUS SSO does not mistakenly match a banned user or IP address.
This section includes:
l Schedules, address groups, and services groups l Configuring regular security policies l Configuring RADIUS SSO security policy
Schedules, address groups, and services groups
This section lists the lists that need to be configured before security policies are created. Creating these lists is straight forward, so the essential information has been provided here but not step by step instructions. For more information on firewall related details, see
Schedules
Only one schedule needs to be configured — business_hours. This is a fairly standard Monday to Friday 8am to 5pm schedule, or whatever days and hours covers standard work hours at the company.
Address groups
The following address groups need to be configured before the security policies.
| Address Group Name | Interface | Address range included |
| internal_network | internal | 10.11.102.110 to 10.11.102.250 |
| company_servers | dmz | 10.11.101.110 to 10.11.101.250 |
Service groups
The following service groups need to be configured before the security policies. Note that the services listed are suggestions and may include more or less as required.
| Service Group Name | Interface | Description of services to be included | ||
| essential_network_services | internal | Any network protocols required for normal network operation such as DNS, NTP, BGP. | ||
| Service Group Name | Interface | Description of services to be included | ||
| essential_server_services | dmz | All the protocols required by the company servers such as BGP, HTTP, HTTPS, FTP, IMAP, POP3, SMTP, IKE, SQL, MYSQL, NTP, TRACEROUTE, SOCKs, and SNMP. | ||
| user_services | internal | Any protocols required by users HTTP, HTTP, FTP, | ||
The following security policy configurations are basic and only include logging, and default AV and IPS.
Configuring regular security policies
Regular security policies allow or deny access for non-RADIUS SSO traffic. This is essential as there are network services—such as DNS, NTP, and FortiGuard—that require access to the Internet.
To configure regular security policies – web-based manager:
- Go to Policy & Objects > IPv4 Policy, and select Create New.
- Enter the following information, and select OK.
| Incoming Interface | Internal |
| Source Address | internal_network |
| Outgoing Interface | wan1 |
| Destination Address | all |
| Schedule | always |
| Service | essential_network_services |
| Action | ACCEPT |
| NAT | ON |
| Security Profiles | ON: AntiVirus, IPS |
| Log Allowed Traffic | ON |
| Comments | Essential network services |
- Select Create New, enter the following information, and select OK.
| Incoming Interface | dmz | |
| Source Address | company_servers | |
| Outgoing Interface | wan1 | |
| Destination Address | all | |
| Schedule | always | |
| Service | essential_server_services | |
| Action | ACCEPT | |
| NAT | ON | |
| Security Profiles | ON: AntiVirus, IPS | |
| Log Allowed Traffic | enable | |
| Comments | Company servers accessing the Internet | |
- Select Create New, enter the following information, and select OK.
| Incoming Interface | Internal |
| Source Address | internal_network |
| Outgoing Interface | dmz |
| Destination Address | company_servers |
| Schedule | always |
| Service | all |
| Action | ACCEPT |
| NAT | ON |
| Security Profiles | ON: AntiVirus, IPS |
| Log Allowed Traffic | enable |
| Comments | Access company servers |
Configuring RADIUS SSO security policy
The RADIUS SSO policy allows access for members of specific RADIUS groups.
To configure RADIUS SSO security policy:
- Go to Policy & Objects > IPv4 Policy.
- Select Create New.
- Enter the following information:
| Incoming Interface | Internal |
| Source Address | internal_network |
| Source User(s) | Select the user groups you created for RSSO. |
| Outgoing Interface | wan1 |
| Destination Address | all |
| Schedule | business_hours |
| Service | ALL |
| Action | ACCEPT |
| NAT | ON |
| Security Profiles | ON: AntiVirus, WebFilter, IPS, and Email Filter. In each case, select the default profile. |
- Select OK.
- To ensure an RSSO-related policy is matched first, the policy should be placed higher in the security policy list than more general policies for the same interfaces.
- Select OK.
Testing
Once configured, a user only needs to log on to their PC using their RADIUS account. After that when they attempt to access an Internet website, the FortiGate unit will use their session information to get their RADIUS information. Once the user is verified, they are allowed access to the website.
To test the configuration perform the following steps:
- Have user ‘plee’ logon to their PC, and try to access an Internet website.
- The FortiGate unit will contact the RADUS server for user plee’s information. Once confirmed, plee will have access to the website.
Each step generates log entries that enable you to verify that each step was successful.
- If a step is unsuccessful, confirm that your configuration is correct.
Troubleshooting
RADIUS SSO test