SSO using RADIUS accounting records

Defining local user groups for RADIUS SSO

You cannot use RADIUS user groups directly in security policies. Instead, you create locally-defined user groups on the FortiGate unit and associate each of them with a RADIUS user group.

Creating security policies

To define local user groups for RADIUS SSO:

  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the user group.
  3. In Type, select RADIUS Single Sign-On (RSSO).
  4. In RADIUS Attribute Value, enter the name of the RADIUS user group this local user group represents.
  5. Select OK.

To define local user groups for RADIUS SSO:

This example creates an RSSO user group called RSSO-1 that is associated with RADIUS user group “student”.

config user group edit RSSO-1 set group-type rsso set sso-attribute-value student

end

Creating security policies

RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple policies if user groups can have different UTM features enabled, different permitted services, schedules, and so on.

To create a security policy for RSSO – web-based manager:

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Enter the following information.
Incoming Interface as needed
Source Address as needed
Source User(s) Select the user groups you created for RSSO. See Defining local user groups for RADIUS SSO on page 189.
Outgoing Interface as needed
Destination Address all
Schedule as needed
Service as needed
Action ACCEPT
Enable NAT Selected
Security Profiles Select security profiles appropriate for the user group.
  1. Select OK.

Example: webfiltering for student and teacher accounts

To ensure an RSSO-related policy is matched first, the policy should be placed higher in the security policy list than more general policies for the same interfaces.

  1. Select OK.

To create a security policy for RSSO – CLI:

In this example, an internal network to Internet policy enables web access for members of a student group and activates the appropriate UTM profiles.

config firewall policy edit 0 set srcintf internal set dstintf wan1 set srcaddr all set dstaddr “all” set action accept set rsso enable set groups “RSSO-student” set schedule always set service HTTP HTTPS set nat enable set utm-status enable set av-profile students set webfilter-profile students set spamfilter-profile students set dlp-sensor default set ips-sensor default set application-list students set profile-protocol-options “default”

end

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.