RADIUS Single Sign-On
A FortiGate or FortiMail unit can transparently identify users who have already authenticated on an external RADIUS server by parsing RADIUS accounting records. However, this approach has potential difficulties:
- The RADIUS server is business-critical IT infrastructure, limiting the changes that can be made to the server configuration.
- In some cases, the server can send accounting records only to a single endpoint. Some network topologies may require multiple endpoints.
The FortiAuthenticator RADIUS Accounting Proxy overcomes these limitations by proxying the RADIUS accounting records, modifying them, and replicating them to the multiple subscribing endpoints as needed.
RADIUS accounting proxy
The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server, transforms them, and then forwards them to multiple FortiGate or FortiMail devices for use in RADIUS Single Sign-On. This differs from the packet use of RADIUS accounting (RADIUS accounting on page 115).
The accounting proxy needs to know:
l Rule sets to define or derive the RADIUS attributes that the FortiGate unit requires, l The source of the RADIUS accounting records: the RADIUS server, l The destination(s) of the accounting records: the FortiGate units using this information for RADIUS SSO authentication.
General settings
General RADIUS accounting proxy settings can be configure by going to Fortinet SSO Methods > Accounting Proxy > General.
The following settings are available:
Log level |
Select Debug, Info, Warning, or Error as the minimum severity level of event to log from the drop-down list. |
Group cache lifetime |
Enter the amount of time after which user group memberships will expire in the cache, from 1 to 10080 minutes (7 days). The default is 480 minutes. |
Number of proxy retries |
Enter the number of times to retry proxy requests if they timeout, from 0 to 3 retries, where 0 disables retries. The default is 3 retries. |
Proxy retry timeout |
Enter the retry period (timeout) of a proxy request, from 1 to 10 seconds. |
Statistics update period |
Enter the time between statistics updates to the seconds debug log, from 1 to 3600 seconds (1 hour). |
Select OK to apply your changes.
accounting proxy RADIUS
Rule sets
A rule set can contain multiple rules. Each rule can do one of:
l add an attribute with a fixed value l add an attribute retrieved from a user’s record on an LDAP server l rename an attribute to make it acceptable to the accounting proxy destination.
The FortiAuthenticator unit can store up to 10 rule sets. You can provide both a name and a description to each rule set to help you remember each rule set’s purpose.
Rules access RADIUS attributes of which there are both standard attributes and vendor-specific attributes (VSAs). To select a standard attribute, select the Default vendor. See RADIUS attributes on page 72.
To view the accounting proxy rule set list, go to Fortinet SSO Methods > Accounting Proxy > Rule Sets.
To add RADIUS accounting proxy rule sets:
- From the rule set list, select Create New. The Create New Rule Set window opens.
- Enter the following information:
Name |
Enter a name to use when selecting this rule set for an accounting proxy destination. |
Description |
Optionally, enter a brief description of the rule’s purpose. |
Rules |
Enter one or more rules. |
Single Sign-On RADIUS accounting proxy
Action |
The action for each rule can be either Add or Modify.
l Add: add either a static value or a value derived from an LDAP server.
l Modify: rename an attribute. |
Attribute |
Select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box. |
Attribute 2 |
If the action is set to Modify, a second attribute may be selected. The first attribute will be renamed to the second attribute. |
Value Type |
If the action is set to Add, select a value type from the drop-down list.
l Static value: adds the attribute in the Attribute field containing the static value in the Value field.
l Group names: adds attribute in the Attribute field containing “Group names” from the group membership of the Username Attribute on the remote LDAP server. l Services: adds attribute in the Attribute field containing “Services” from the group membership of the Username Attribute on the remote LDAP server.
l UTM profile groups: adds attribute in the Attribute field containing “UTM profile groups” from the group membership of the Username Attribute on the remote LDAP server. |
Value |
If the action is set to Add and Value Type is set to Static value, enter the static value. |
Username
Attribute |
If the action is set to Add, and Value Type is not set to Static value, specify an attribute that provides the user’s name, or select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box. |
Remote LDAP |
If the attribute addition requires an LDAP server, select one from the dropdown list. See LDAP on page 88 for information on remote LDAP servers. |
Description |
A brief description of the rule is provided. |
Add another rule |
Select to add another rule to the rule set. |
- Select OK to create the new rule set.
Example rule set
The incoming accounting packets contain the following fields:
- User-Name l NAS-IP-Address l Fortinet-Client-IP-Address
The outgoing accounting packets need to have these fields:
accounting proxy RADIUS
- User-Name l NAS-IP-Address l Fortinet-Client-IP-Address l Session-Timeout: Value is always 3600 l Fortinet-Group-Name: Value is obtained from user’s group membership on remote LDAP l Service-Type: Value is obtained from user’s group membership and SSO Group Mapping
The rule set needs three rules to add Session-Timeout, Fortinet-Group-Name, and Service-Type. The following image provides an example:
Sources
The RADIUS accounting proxy sources list can be viewed in Fortinet SSO Methods > Accounting Proxy > Sources. Sources can be added, edited, and deleted as needed.
To add a RADIUS accounting proxy source:
- From the source list, select Create New. The Create New RADIUS Accounting Proxy Source window opens.
- Enter the following information:
Name |
Enter the name of the
This is used in FortiAuthenticator configurations. |
RADIUS |
server. |
Single Sign-On RADIUS accounting proxy
Source name/IP |
Enter the FQDN or IP address of the server. |
Secret |
Enter the shared secret required to access the server. |
Description |
Optionally, enter a description of the source. |
- Select OK to add the RADIUS accounting proxy source.
Destinations
The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users. When defining the destination, you also specify the source of the records (a RADIUS client already defined as a source) and the rule set to apply to the records.
To view the RADIUS accounting proxy destinations list, go to Fortinet SSO Methods > Accounting Proxy > Destinations.
To add a RADIUS accounting proxy destinations:
- From the destinations list, select Create New. The Create New RADIUS Accounting Proxy Destination window opens.
- Enter the following information:
Name |
Enter a name to identify the destination device in your configuration. |
Destination name/IP |
Enter The FQDN or IP address of the FortiGate that will receive the RADIUS accounting records. |
Secret |
Enter the preshared key of the destination. |
Source |
Select a RADIUS client defined as a source from the drop-down list. See Sources on page 127. |
Rule set |
Select an appropriate rule set from the drop-down list or select Create New to create a new rule set. See Rule sets on page 125. |
- Select OK to add the RADIUS accounting proxy destination.