SSO using RADIUS accounting records

Creating the FortiGate RADIUS SSO agent

Once you define a RADIUS SSO (RSSO) agent, the FortiGate unit will accept user logon information from any RADIUS server that has the same shared secret. You can create only one RSSO agent in each VDOM.

Before you create the RSSO agent, you need to allow RADIUS accounting information on the interface that connects to the RADIUS server.

Creating the FortiGate RADIUS SSO agent

To enable RADIUS access on the interface – web-based manager:

  1. Go to Network > Interfaces and edit the interface to which the RADIUS server connected.
  2. Select Listen for RADIUS Accounting Messages.
  3. Select OK.

To enable RADIUS access on the interface – CLI:

In this example, the port2 interface is used.

config system interface edit port2 set allowaccess radius-acct

end

To create a RADIUS SSO agent:

  1. Go to User & Device > Single Sign-On and select Create New.
  2. In Type, select RADIUS Single-Sign-On Agent.
  3. Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.
  4. Select Send RADIUS Responses.
  5. Select OK.

To create a RADIUS SSO agent – CLI

config user radius edit RSSO_Agent set rsso enable

set rsso-validate-request-secret enable set rsso-secret <your secret> set rsso-radius-response enable

end

Selecting which RADIUS attributes are used for RSSO

For RADIUS SSO to work, FortiOS needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where FortiOS expects this information, but you can change these attributes in the config user radius CLI command.

RSSO information and RADIUS attribute defaults

RSSO Information RADIUS Attribute CLI field
Endpoint identifier Calling-Station-ID rsso-endpoint-attribute
Endpoint block attribute Called-Station-ID rsso-endpoint-blockattribute
User group Class sso-attribute

Defining local user groups for RADIUS SSO

RSSO Information RADIUS Attribute CLI field
User Prefix delegated-IPv6-prefix
User Prefix framed-IPv6-prefix

The Endpoint block attribute can be used to block or allow a user. If the attribute value is set to the name of an attribute that indicates whether to block or allow, FortiOS blocks or allows respectively all traffic from that user’s IP address. The RSSO fields are visible only when rsso is set to enable.

The Prefix attributes allow for RSSO to provide a /56 prefix for DSL customers. All devices connected from the same location (/56 per subscriber) can be mapped to the same profile without the need to create multiple /64 or smaller entries.

Override SSO attribute

Prior to FortiOS 5.4, when receiving a new start message with a different group name for the same user, and a different IP address such as for a roaming mobile device, the original process was to override all group name information to the latest group name received from the latest start message.

You can disable this override when needed. The default behavior keeps the original design.

To enable or disable overriding SSO attribute – CLI

config user radius edit <name> set rsso <enable>

set sso-attribute-value-override {enable | disable} Enable/disable override of old attribute value with new value for the same endpoint.

Configuring logging for RSSO

In the config user radius CLI command, you can set the following flags in the rsso-log-flags field to determine which types of RSSO-related events are logged:

  • protocol-error — A RADIUS protocol error occurred.
  • profile-missing — FortiOS cannot find a user group name in a RADIUS start message that matches the name of an RSSO user group in FortiOS.
  • accounting-stop-missed — a user context entry expired without FortiOS receiving a RADIUS Stop message. l accounting-event — FortiOS did not find the expected information in a RADIUS record.
  • endpoint-block — FortiOS blocked a user because the RADIUS record’s endpoint block attribute had the value

“Block”. l radiusd-other — Other events, described in the log message.

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.