Examples and Troubleshooting

RADIUS SSO example

A common RADIUS SSO topology involves a medium sized company network of users connecting to the Internet through the FortiGate unit, and authenticating with a RADIUS server. RADIUS SSO authentication was selected because it is fast and relatively easy to configure.

This section includes:

  • Assumptions
  • Topology
  • Configuring RADIUS
  • Configuring FortiGate regular and RADIUS SSO security policies
  • Testing

Assumptions

  • VDOMs are not enabled
  • The admin super_admin administrator account will be used for all FortiGate unit configuration.
  • Any other devices on the network do not affect the topology of this example, and therefore are not included.
  • Anywhere settings are not described, they are assumed to be default values.
  • A RADIUS server is installed on a server or FortiAuthenticator unit and uses default attributes.
  • BGP is used for any dynamic routing.
  • Authentication event logging under Log&Report has been configured.

Topology

Example.com has an office with 20 users on the internal network. These users need access to the Internet to do their jobs. The office network is protected by a FortiGate-60C unit with access to the Internet through the wan1 interface, the user network on the internal interface, and all the servers are on the DMZ interface. This includes an Ubuntu Linux server running FreeRADIUS. For this example only two users will be configured — Pat Lee with an account name plee, or plee@example.com, and Kelly Green with an account name kgreen, or kgreen@example.com.

RADIUS SSO topology

Configuring RADIUS

Configuring RADIUS includes configuring the RADIUS server such as FreeRADIUS, a radius client on user’s computers, and configuring users in the system. For this example the two users will be Pat Lee, and Kelly Green. They belong to a group called exampledotcom_employees. When it is all configured, the RADIUS daemon needs to started.

The users have a RADIUS client installed on their PCs that allows them to authenticate through the RADIUS server.

FreeRADIUS can be found on the freeradius.org website. For any problems installing FreeRADIUS, see the FreeRADIUS documentation.

Configuring FortiGate interfaces

Before configuring the RADIUS SSO security policy, configure FortiGate interfaces. This includes defining a DHCP server for the internal network as this type of network typically uses DHCP. The wan1 and dmz interfaces are assigned static IP addresses and do not need a DHCP server.

FortiGate interfaces used in this example

Interface Subnet Act as DHCP Server Devices
wan1 172.20.120.141 No Internet Service Provider
dmz 10.11.101.100 No Servers, including RADIUS server
internal 10.11.102.100 Yes: x.x.x.110-.250 Internal user network

To configure FortiGate interfaces – web-based manager:

  1. Go to Network > Interfaces.
  2. Select wan1 to edit.
  3. Enter the following information and select OK.
Alias Internet
Addressing Mode Manual
IP/Network Mask 172.20.120.141/255.255.255.0
Administrative Access HTTPS, SSH
Enable DHCP Server Not selected
Comments Internet
Administrative Status Up
  1. Select dmz to edit.
  2. Enter the following information and select OK.
Alias Servers
Addressing Mode Manual
IP/Network Mask 10.11.101.100/255.255.255.0
Administrative Access HTTPS, SSH, PING, SNMP
Enable DHCP Server Not selected
Listen for RADIUS

Accounting Messages

Select
Comments Servers
Administrative Status Up
  1. Select internal to edit.
  2. Enter the following information and select OK.
Alias Internal network
Addressing Mode Manual
IP/Network Mask 10.11.102.100/255.255.255.0
Administrative Access HTTPS, SSH, PING
Enable DHCP Server Select
Address Range 10.11.102.110 – 10.11.102.250
Netmask 255.255.255.0
Default Gateway Same as Interface IP
DNS Server Same as System DNS
Comments Internal network
Administrative Status Up

Configuring a RADIUS SSO Agent on the FortiGate unit

To create a RADIUS SSO agent:

  1. Go to User & Device > Single Sign-On and select Create New.
  2. In Type, select RADIUS Single-Sign-On Agent.
  3. Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.
  4. Select Send RADIUS Responses.
  5. Select OK.

The Single Sign-On agent is named RSSO_Agent.

Creating a RADIUS SSO user group

To define a local user group for RADIUS SSO:

  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the user group.
  3. In Type, select RADIUS Single Sign-On (RSSO).
  4. In RADIUS Attribute Value, enter the name of the RADIUS user group this local user group represents.
  5. Select OK.

Configuring FortiGate regular and RADIUS SSO security policies

With the RADIUS server and FortiGate interfaces configured, security policies can be configured. This includes both RADIUS SSO and regular policies, as well as addresses and address groups. All policies require NAT to be enabled.

Security policies required for RADIUS SSO

Seq. No. From -> To Type Schedule Description
1 internal -> wan1 RADIUS SSO business hours Authenticate outgoing user traffic.
2 internal -> wan1 regular always Allow essential network services and VoIP.
3 dmz -> wan1 regular always Allow servers to access Internet.
4 internal ->

dmz

regular always Allow users to access servers.
Seq. No. From -> To Type Schedule Description
5 any -> any deny always Implicit policy denying all traffic that hasn’t been matched.

The RADIUS SSO policy must be placed at the top of the policy list so it is matched first. The only exception to this is if you have a policy to deny access to a list of banned users. In this case, that policy must go at the top so the RADIUS SSO does not mistakenly match a banned user or IP address.

This section includes:

l Schedules, address groups, and services groups l Configuring regular security policies l Configuring RADIUS SSO security policy

Schedules, address groups, and services groups

This section lists the lists that need to be configured before security policies are created. Creating these lists is straight forward, so the essential information has been provided here but not step by step instructions. For more information on firewall related details, see

Schedules

Only one schedule needs to be configured — business_hours. This is a fairly standard Monday to Friday 8am to 5pm schedule, or whatever days and hours covers standard work hours at the company.

Address groups

The following address groups need to be configured before the security policies.

Address Group Name Interface Address range included
internal_network internal 10.11.102.110 to 10.11.102.250
company_servers dmz 10.11.101.110 to 10.11.101.250

Service groups

The following service groups need to be configured before the security policies. Note that the services listed are suggestions and may include more or less as required.

Service Group Name Interface Description of services to be included
essential_network_services internal Any network protocols required for normal network operation such as DNS, NTP, BGP.
Service Group Name Interface Description of services to be included
essential_server_services dmz All the protocols required by the company servers such as BGP, HTTP, HTTPS, FTP, IMAP, POP3, SMTP, IKE, SQL, MYSQL, NTP, TRACEROUTE, SOCKs, and SNMP.
user_services internal Any protocols required by users HTTP, HTTP, FTP,

The following security policy configurations are basic and only include logging, and default AV and IPS.

Configuring regular security policies

Regular security policies allow or deny access for non-RADIUS SSO traffic. This is essential as there are network services—such as DNS, NTP, and FortiGuard—that require access to the Internet.

To configure regular security policies – web-based manager:

  1. Go to Policy & Objects > IPv4 Policy, and select Create New.
  2. Enter the following information, and select OK.
Incoming Interface Internal
Source Address internal_network
Outgoing Interface wan1
Destination Address all
Schedule always
Service essential_network_services
Action ACCEPT
NAT ON
Security Profiles ON: AntiVirus, IPS
Log Allowed Traffic ON
Comments Essential network services
  1. Select Create New, enter the following information, and select OK.
Incoming Interface dmz
Source Address company_servers
Outgoing Interface wan1
Destination Address all
Schedule always
Service essential_server_services
Action ACCEPT
NAT ON
Security Profiles ON: AntiVirus, IPS
Log Allowed Traffic enable
Comments Company servers accessing the Internet
  1. Select Create New, enter the following information, and select OK.
Incoming Interface Internal
Source Address internal_network
Outgoing Interface dmz
Destination Address company_servers
Schedule always
Service all
Action ACCEPT
NAT ON
Security Profiles ON: AntiVirus, IPS
Log Allowed Traffic enable
Comments Access company servers

Configuring RADIUS SSO security policy

The RADIUS SSO policy allows access for members of specific RADIUS groups.

To configure RADIUS SSO security policy:

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Enter the following information:
Incoming Interface Internal
Source Address internal_network
Source User(s) Select the user groups you created for RSSO.
Outgoing Interface wan1
Destination Address all
Schedule business_hours
Service ALL
Action ACCEPT
NAT ON
Security Profiles ON: AntiVirus, WebFilter, IPS, and Email Filter. In each case, select the default profile.
  1. Select OK.
  2. To ensure an RSSO-related policy is matched first, the policy should be placed higher in the security policy list than more general policies for the same interfaces.
  3. Select OK.

Testing

Once configured, a user only needs to log on to their PC using their RADIUS account. After that when they attempt to access an Internet website, the FortiGate unit will use their session information to get their RADIUS information. Once the user is verified, they are allowed access to the website.

To test the configuration perform the following steps:

  1. Have user ‘plee’ logon to their PC, and try to access an Internet website.
  2. The FortiGate unit will contact the RADUS server for user plee’s information. Once confirmed, plee will have access to the website.

Each step generates log entries that enable you to verify that each step was successful.

  1. If a step is unsuccessful, confirm that your configuration is correct.

 

Troubleshooting

RADIUS SSO test

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.