SSO using RADIUS accounting records

Example: webfiltering for student and teacher accounts

The following example uses RADIUS SSO to apply web filtering to students, but not to teachers. Assume that the

RADIUS server is already configured to send RADIUS Start and Stop records to the FortiGate unit. There are two RADIUS user groups, students and teachers, recorded in the default attribute Class. The workstations are connected to port1, port2 connects to the RADIUS server, and port3 connects to the Internet.

Configure the student web filter profile:

  1. Go to Security Profiles > Web Filter and select Create New (the “+” button).
  2. Enter the following and select OK.
Name student
Inspection Mode Proxy
FortiGuard Categories Enable. Right-click the Potentially Liable category and select Block. Repeat for Adult/Mature Content and Security Risk.

Example: webfiltering for student and teacher accounts

Create the RADIUS SSO agent:

  1. Go to User & Device > Single Sign-On and select Create New.
  2. In Type, select RADIUS Single-Sign-On.
  3. Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.
  4. Select Send RADIUS Responses.
  5. Select OK.

Define local user groups associated with the RADIUS SSO user groups:

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following and select OK.
Name RSSO-students
Type RADIUS Single Sign-On (RSSO)
RADIUS Attribute Value students
  1. Select Create New, enter the following and select OK.
Name RSSO-teachers
Type RADIUS Single Sign-On (RSSO)
RADIUS Attribute Value teachers

Create a security policy for students:

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter
Incoming Interface port1
Source Address all
Source User(s) RSSO-students
Source Device Type All
Outgoing Interface port3
Destination Address all
Schedule always
Service HTTP, HTTPS
Action ACCEPT
NAT ON

Example: webfiltering for student and teacher accounts

Security Profiles Enable AntiVirus, Web Filter, IPS.

In Web Filter, select the student profile.

  1. Select OK.

Create a security policy for teachers:

  1. Go to Policy & Objects > IPv4 Policy and select Create New. 2. Enter
Incoming Interface port2
Source Address all
Source User(s) RSSO-teachers
Source Device Type All
Outgoing Interface port3
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT ON
Security Profiles Enable AntiVirus and IPS.
  1. Select OK.

 

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.