Defining local user groups for RADIUS SSO
You cannot use RADIUS user groups directly in security policies. Instead, you create locally-defined user groups on the FortiGate unit and associate each of them with a RADIUS user group.
Creating security policies
To define local user groups for RADIUS SSO:
- Go to User & Device > User Groups and select Create New.
- Enter a Name for the user group.
- In Type, select RADIUS Single Sign-On (RSSO).
- In RADIUS Attribute Value, enter the name of the RADIUS user group this local user group represents.
- Select OK.
To define local user groups for RADIUS SSO:
This example creates an RSSO user group called RSSO-1 that is associated with RADIUS user group “student”.
config user group edit RSSO-1 set group-type rsso set sso-attribute-value student
end
Creating security policies
RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple policies if user groups can have different UTM features enabled, different permitted services, schedules, and so on.
To create a security policy for RSSO – web-based manager:
- Go to Policy & Objects > IPv4 Policy.
- Select Create New.
- Enter the following information.
Incoming Interface | as needed |
Source Address | as needed |
Source User(s) | Select the user groups you created for RSSO. See Defining local user groups for RADIUS SSO on page 189. |
Outgoing Interface | as needed |
Destination Address | all |
Schedule | as needed |
Service | as needed |
Action | ACCEPT |
Enable NAT | Selected |
Security Profiles | Select security profiles appropriate for the user group. |
- Select OK.
Example: webfiltering for student and teacher accounts
To ensure an RSSO-related policy is matched first, the policy should be placed higher in the security policy list than more general policies for the same interfaces.
- Select OK.
To create a security policy for RSSO – CLI:
In this example, an internal network to Internet policy enables web access for members of a student group and activates the appropriate UTM profiles.
config firewall policy edit 0 set srcintf internal set dstintf wan1 set srcaddr all set dstaddr “all” set action accept set rsso enable set groups “RSSO-student” set schedule always set service HTTP HTTPS set nat enable set utm-status enable set av-profile students set webfilter-profile students set spamfilter-profile students set dlp-sensor default set ips-sensor default set application-list students set profile-protocol-options “default”
end