Creating the FortiGate RADIUS SSO agent
Once you define a RADIUS SSO (RSSO) agent, the FortiGate unit will accept user logon information from any RADIUS server that has the same shared secret. You can create only one RSSO agent in each VDOM.
Before you create the RSSO agent, you need to allow RADIUS accounting information on the interface that connects to the RADIUS server.
Creating the FortiGate RADIUS SSO agent
To enable RADIUS access on the interface – web-based manager:
- Go to Network > Interfaces and edit the interface to which the RADIUS server connected.
- Select Listen for RADIUS Accounting Messages.
- Select OK.
To enable RADIUS access on the interface – CLI:
In this example, the port2 interface is used.
config system interface edit port2 set allowaccess radius-acct
end
To create a RADIUS SSO agent:
- Go to User & Device > Single Sign-On and select Create New.
- In Type, select RADIUS Single-Sign-On Agent.
- Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.
- Select Send RADIUS Responses.
- Select OK.
To create a RADIUS SSO agent – CLI
config user radius edit RSSO_Agent set rsso enable
set rsso-validate-request-secret enable set rsso-secret <your secret> set rsso-radius-response enable
end
Selecting which RADIUS attributes are used for RSSO
For RADIUS SSO to work, FortiOS needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where FortiOS expects this information, but you can change these attributes in the config user radius CLI command.
RSSO information and RADIUS attribute defaults
RSSO Information | RADIUS Attribute | CLI field |
Endpoint identifier | Calling-Station-ID | rsso-endpoint-attribute |
Endpoint block attribute | Called-Station-ID | rsso-endpoint-blockattribute |
User group | Class | sso-attribute |
Defining local user groups for RADIUS SSO
RSSO Information | RADIUS Attribute | CLI field |
User | Prefix | delegated-IPv6-prefix |
User | Prefix | framed-IPv6-prefix |
The Endpoint block attribute can be used to block or allow a user. If the attribute value is set to the name of an attribute that indicates whether to block or allow, FortiOS blocks or allows respectively all traffic from that user’s IP address. The RSSO fields are visible only when rsso is set to enable.
The Prefix attributes allow for RSSO to provide a /56 prefix for DSL customers. All devices connected from the same location (/56 per subscriber) can be mapped to the same profile without the need to create multiple /64 or smaller entries.
Override SSO attribute
Prior to FortiOS 5.4, when receiving a new start message with a different group name for the same user, and a different IP address such as for a roaming mobile device, the original process was to override all group name information to the latest group name received from the latest start message.
You can disable this override when needed. The default behavior keeps the original design.
To enable or disable overriding SSO attribute – CLI
config user radius edit <name> set rsso <enable>
set sso-attribute-value-override {enable | disable} Enable/disable override of old attribute value with new value for the same endpoint.
Configuring logging for RSSO
In the config user radius CLI command, you can set the following flags in the rsso-log-flags field to determine which types of RSSO-related events are logged:
- protocol-error — A RADIUS protocol error occurred.
- profile-missing — FortiOS cannot find a user group name in a RADIUS start message that matches the name of an RSSO user group in FortiOS.
- accounting-stop-missed — a user context entry expired without FortiOS receiving a RADIUS Stop message. l accounting-event — FortiOS did not find the expected information in a RADIUS record.
- endpoint-block — FortiOS blocked a user because the RADIUS record’s endpoint block attribute had the value
“Block”. l radiusd-other — Other events, described in the log message.