Fortinet black logo

Administration Guide

RADIUS accounting proxy

RADIUS accounting proxy

The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server, transforms them, and forwards them to multiple FortiGate or FortiMail devices for use in RADIUS Single Sign-On (RSSO). This differs from the packet use of RADIUS accounting (RADIUS accounting sources).

The accounting proxy needs to know:

  • the rule sets to define or derive the RADIUS attributes that the FortiGate unit requires,
  • the source of the RADIUS accounting records (i.e. the RADIUS server),
  • and the destination(s) of the accounting records (i.e. the FortiGate units using this information for RSSO authentication).

General

General RADIUS accounting proxy settings can be configured by going to Fortinet SSO Methods > Accounting Proxy > General.

The following settings are available:

Log level Select Error, Warning, Info, or Debug as the minimum event severity level to log from the dropdown menu. The default is Error.
Group cache lifetime Enter the amount of time after which user group memberships will expire in the cache, from 1-10080 minutes (maximum of one week). The default is 480.
Number of proxy retries Enter the number of times to retry proxy requests if they timeout, from 0-3 retries, where 0 disables retries. The default is 3.
Proxy retry timeout Enter the retry timeout period of a proxy request, from 1-10 seconds. The default is 5.
Statistics update period Enter the time between statistics updates to the seconds debug log, from 1-3600 seconds (maximum of one hour). The default is 5.

Select OK to apply your changes.

Rule sets

A rule set can contain multiple rules. Each rule can do one of the following:

  • Add an attribute with a fixed value.
  • Add an attribute retrieved from a user’s record on an LDAP server.
  • Rename an attribute to make it acceptable to the accounting proxy destination.

FortiAuthenticator can store up to 25 rule sets. You can provide both a name and description to rule sets to help identify each rule set and their purpose.

Rules access RADIUS attributes of which there are both standard attributes and vendor-specific attributes (VSAs). To select a standard attribute, select the default vendor. See RADIUS attributes.

To view the accounting proxy rule set list, go to Fortinet SSO Methods > Accounting Proxy > Rule Sets.

To add RADIUS accounting proxy rule sets:
  1. From the rule set list, select Create New. The Create New Rule Set window opens.
  2. Enter the following information:
    NameEnter a name to use when selecting this rule set for an accounting proxy destination.
    DescriptionOptionally, enter a brief description of the rule’s purpose.
    RulesEnter one or more rules.
    Action

    The action for each rule can be either Add or Modify.

    • Add: Add either a static value or a value derived from an LDAP server.
    • Modify: Rename an attribute.
    AttributeSelect Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
    Attribute 2If Action is set to Modify, a second attribute may be selected. The first attribute is renamed to the second attribute.
    Value type

    If the action is set to Add, select a value type from the dropdown menu.

    • Static value: Adds the attribute in the Attribute field containing the static value in the Value field.
    • Group names: Adds attribute in the Attribute field containing "Group names" from the group membership of the Username Attribute on the remote LDAP server.
    ValueIf the action is set to Add and Value Type is set to Static value, enter the static value.
    Username attributeIf the action is set to Add, and Value Type is not set to Static value, specify an attribute that provides the user’s name, or select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
    Remote LDAPIf the attribute addition requires an LDAP server, select one from the dropdown menu. See LDAP for information on remote LDAP servers.
    DescriptionA brief description of the rule is provided.
    Add another RuleSelect to add another rule to the rule set.
  3. Select OK to create the new rule set.

Example rule set

The incoming accounting packets contain the following fields:

  • User-Name
  • NAS-IP-Address
  • Fortinet-Client-IP-Address

The outgoing accounting packets need to have these fields:

  • User-Name
  • NAS-IP-Address
  • Fortinet-Client-IP-Address
  • Session-Timeout: Value is always 3600
  • Fortinet-Group-Name: Value is obtained from user's group membership on remote LDAP

The rule set needs two rules to add Session-Timeout and Fortinet-Group-Name. The following image provides an example:

Sources

The RADIUS accounting proxy sources list can be viewed in Fortinet SSO Methods > Accounting Proxy > Sources. Sources can be added, edited, and deleted as needed. A maximum of 500 proxy sources can be configured.

To add a RADIUS accounting proxy source:
  1. From the source list, select Create New. The Create New RADIUS Accounting Proxy Source window opens.
  2. Enter the following information:
    NameEnter the name of the RADIUS server. This is used in FortiAuthenticator configurations.
    Source name/IPEnter the FQDN or IP address of the server.
    SecretEnter the pre-shared secret required to access the server.
    DescriptionOptionally, enter a description of the source.
  3. Select OK to add the RADIUS accounting proxy source.

Destinations

The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users. When defining the destination, you also specify the source of the records (a RADIUS client already defined as a source) and the rule set to apply to the records.

To view the RADIUS accounting proxy destinations list, go to Fortinet SSO Methods > Accounting Proxy > Destinations. A maximum of 500 proxy destinations can be configured.

To add a RADIUS accounting proxy destinations:
  1. From the destinations list, select Create New. The Create New RADIUS Accounting Proxy Destination window opens.
  2. Enter the following information:
    NameEnter a name to identify the destination device in your configuration.
    Destination name/IPEnter The FQDN or IP address of the FortiGate that will receive the RADIUS accounting records.
    SecretEnter the pre-shared key of the destination.
    SourceSelect a RADIUS client defined as a source from the dropdown menu. See Sources.
    Rule set Select an appropriate rule set from the dropdown menu or select Create New to create a new rule set. See Rule sets.
  3. Select OK to add the RADIUS accounting proxy destination.

RADIUS accounting proxy

The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server, transforms them, and forwards them to multiple FortiGate or FortiMail devices for use in RADIUS Single Sign-On (RSSO). This differs from the packet use of RADIUS accounting (RADIUS accounting sources).

The accounting proxy needs to know:

  • the rule sets to define or derive the RADIUS attributes that the FortiGate unit requires,
  • the source of the RADIUS accounting records (i.e. the RADIUS server),
  • and the destination(s) of the accounting records (i.e. the FortiGate units using this information for RSSO authentication).

General

General RADIUS accounting proxy settings can be configured by going to Fortinet SSO Methods > Accounting Proxy > General.

The following settings are available:

Log level Select Error, Warning, Info, or Debug as the minimum event severity level to log from the dropdown menu. The default is Error.
Group cache lifetime Enter the amount of time after which user group memberships will expire in the cache, from 1-10080 minutes (maximum of one week). The default is 480.
Number of proxy retries Enter the number of times to retry proxy requests if they timeout, from 0-3 retries, where 0 disables retries. The default is 3.
Proxy retry timeout Enter the retry timeout period of a proxy request, from 1-10 seconds. The default is 5.
Statistics update period Enter the time between statistics updates to the seconds debug log, from 1-3600 seconds (maximum of one hour). The default is 5.

Select OK to apply your changes.

Rule sets

A rule set can contain multiple rules. Each rule can do one of the following:

  • Add an attribute with a fixed value.
  • Add an attribute retrieved from a user’s record on an LDAP server.
  • Rename an attribute to make it acceptable to the accounting proxy destination.

FortiAuthenticator can store up to 25 rule sets. You can provide both a name and description to rule sets to help identify each rule set and their purpose.

Rules access RADIUS attributes of which there are both standard attributes and vendor-specific attributes (VSAs). To select a standard attribute, select the default vendor. See RADIUS attributes.

To view the accounting proxy rule set list, go to Fortinet SSO Methods > Accounting Proxy > Rule Sets.

To add RADIUS accounting proxy rule sets:
  1. From the rule set list, select Create New. The Create New Rule Set window opens.
  2. Enter the following information:
    NameEnter a name to use when selecting this rule set for an accounting proxy destination.
    DescriptionOptionally, enter a brief description of the rule’s purpose.
    RulesEnter one or more rules.
    Action

    The action for each rule can be either Add or Modify.

    • Add: Add either a static value or a value derived from an LDAP server.
    • Modify: Rename an attribute.
    AttributeSelect Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
    Attribute 2If Action is set to Modify, a second attribute may be selected. The first attribute is renamed to the second attribute.
    Value type

    If the action is set to Add, select a value type from the dropdown menu.

    • Static value: Adds the attribute in the Attribute field containing the static value in the Value field.
    • Group names: Adds attribute in the Attribute field containing "Group names" from the group membership of the Username Attribute on the remote LDAP server.
    ValueIf the action is set to Add and Value Type is set to Static value, enter the static value.
    Username attributeIf the action is set to Add, and Value Type is not set to Static value, specify an attribute that provides the user’s name, or select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
    Remote LDAPIf the attribute addition requires an LDAP server, select one from the dropdown menu. See LDAP for information on remote LDAP servers.
    DescriptionA brief description of the rule is provided.
    Add another RuleSelect to add another rule to the rule set.
  3. Select OK to create the new rule set.

Example rule set

The incoming accounting packets contain the following fields:

  • User-Name
  • NAS-IP-Address
  • Fortinet-Client-IP-Address

The outgoing accounting packets need to have these fields:

  • User-Name
  • NAS-IP-Address
  • Fortinet-Client-IP-Address
  • Session-Timeout: Value is always 3600
  • Fortinet-Group-Name: Value is obtained from user's group membership on remote LDAP

The rule set needs two rules to add Session-Timeout and Fortinet-Group-Name. The following image provides an example:

Sources

The RADIUS accounting proxy sources list can be viewed in Fortinet SSO Methods > Accounting Proxy > Sources. Sources can be added, edited, and deleted as needed. A maximum of 500 proxy sources can be configured.

To add a RADIUS accounting proxy source:
  1. From the source list, select Create New. The Create New RADIUS Accounting Proxy Source window opens.
  2. Enter the following information:
    NameEnter the name of the RADIUS server. This is used in FortiAuthenticator configurations.
    Source name/IPEnter the FQDN or IP address of the server.
    SecretEnter the pre-shared secret required to access the server.
    DescriptionOptionally, enter a description of the source.
  3. Select OK to add the RADIUS accounting proxy source.

Destinations

The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users. When defining the destination, you also specify the source of the records (a RADIUS client already defined as a source) and the rule set to apply to the records.

To view the RADIUS accounting proxy destinations list, go to Fortinet SSO Methods > Accounting Proxy > Destinations. A maximum of 500 proxy destinations can be configured.

To add a RADIUS accounting proxy destinations:
  1. From the destinations list, select Create New. The Create New RADIUS Accounting Proxy Destination window opens.
  2. Enter the following information:
    NameEnter a name to identify the destination device in your configuration.
    Destination name/IPEnter The FQDN or IP address of the FortiGate that will receive the RADIUS accounting records.
    SecretEnter the pre-shared key of the destination.
    SourceSelect a RADIUS client defined as a source from the dropdown menu. See Sources.
    Rule set Select an appropriate rule set from the dropdown menu or select Create New to create a new rule set. See Rule sets.
  3. Select OK to add the RADIUS accounting proxy destination.