Fortinet black logo

Handbook

SSO using RADIUS accounting records

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:372705
Download PDF

SSO using RADIUS accounting records

A FortiGate unit can authenticate users transparently who have already authenticated on an external RADIUS server. Based on the user group to which the user belongs, the security policy applies the appropriate UTM profiles. RADIUS SSO (RSSO) is relatively simple because the FortiGate unit does not interact with the RADIUS server, it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client). These records include the user’s IP address and user group.

After the initial set-up, changes to the user database, including changes to user group memberships, are made on the external RADIUS server, not on the FortiGate unit.

This section describes:

User’s view of RADIUS SSO authentication

For the user, RADIUS SSO authentication is simple:

  • The user connects to the RADIUS server and authenticates.
  • The user attempts to connect to a network resource that is reached through a FortiGate unit. Authentication is required for access, but the user connects to the destination without being asked for logon credentials because the FortiGate unit knows that the user is already authenticated. FortiOS applies UTM features appropriate to the user groups that the user belongs to.

Configuration overview

The general steps to implement RADIUS Single Sign-On are:

  1. If necessary, configure your RADIUS server. The user database needs to include user group information and the server needs to send accounting messages.
  2. Create the FortiGate RADIUS SSO agent.
  3. Define local user groups that map to RADIUS groups.
  4. Create a security policy which specifies the user groups that are permitted access.

Configuring the RADIUS server

You can configure FortiGate RSSO to work with most RADIUS-based accounting systems. In most cases, you only need to do the following to your RADIUS accounting system:

  • Add a user group name field to customer accounts on the RADIUS server so that the name is added to the RADIUS Start record sent by the accounting system to the FortiOS unit. User group names do not need to be added for all users, only to the accounts of users who will use RSSO feature on the FortiGate unit.
  • Configure your accounting system to send RADIUS Start records to the FortiOS unit. You can send the RADIUS Start records to any FortiGate network interface. If your FortiGate unit is operating with virtual domains (VDOMs) enabled, the RADIUS Start records must be sent to a network interface in the management VDOM.

IPv6 RADIUS support

RADIUS authentication is supported with IPv6, allowing administrators to configure an IPv6 RADIUS server on the FortiGate for IPv6 RADIUS authentication traffic to pass between the server and FortiGate.

note icon Note that while you can set the primary RADIUS server's IPv6 address, the source IP address for communications to the RADIUS server cannot be configured as IPv6.
Syntax

Allow IPv6 access on an interface:

config system interface

edit <name>

config ipv6

set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap}

set ip6-address <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>

next

next

end

Configure the IPv6 RADIUS server:

config user radius

edit <name>

set server <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>

...

next

end

Creating the FortiGate RADIUS SSO agent

Once you define a RADIUS SSO (RSSO) agent, the FortiGate unit will accept user logon information from any RADIUS server that has the same shared secret. You can create only one RSSO agent in each VDOM.

Before you create the RSSO agent, you need to allow RADIUS accounting information on the interface that connects to the RADIUS server.

To enable RADIUS access on the interface - GUI:
  1. Go to Network > Interfaces and edit the interface to which the RADIUS server connected.
  2. Select RADIUS Accounting.
  3. Select OK.
To enable RADIUS access on the interface - CLI:

In this example, the port2 interface is used.

config system interface

edit port2

set allowaccess radius-acct

end

To create a RADIUS SSO agent:
  1. Go to Security Fabric > Fabric Connectors and select Create New.
  2. Select RADIUS Single-Sign-On Agent.
  3. Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.
  4. Select Send RADIUS Responses.
  5. Select OK.
To create a RADIUS SSO agent - CLI:

config user radius

edit RSSO_Agent

set rsso enable

set rsso-validate-request-secret enable

set rsso-secret <your secret>

set rsso-radius-response enable

end

Selecting which RADIUS attributes are used for RSSO

For RADIUS SSO to work, FortiOS needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where FortiOS expects this information, but you can change these attributes in the config user radius CLI command.

RSSO information and RADIUS attribute defaults
RSSO Information RADIUS Attribute CLI field
Endpoint user IP Framed-IP-Address rsso-endpoint-attribute
Endpoint identifier Calling-Station-ID rsso-endpoint-attribute
Endpoint block attribute Called-Station-ID rsso-endpoint-block-attribute
User group Class sso-attribute
User Prefix delegated-IPv6-prefix
User Prefix framed-IPv6-prefix

The Endpoint block attribute can be used to block or allow a user. If the attribute value is set to the name of an attribute that indicates whether to block or allow, FortiOS blocks or allows respectively all traffic from that user’s IP address. The RSSO fields are visible only when rsso is set to enable.

The Prefix attributes allow for RSSO to provide a /56 prefix for DSL customers. All devices connected from the same location (/56 per subscriber) can be mapped to the same profile without the need to create multiple /64 or smaller entries.

Override SSO attribute

Prior to FortiOS 5.4, when receiving a new start message with a different group name for the same user, and a different IP address such as for a roaming mobile device, the original process was to override all group name information to the latest group name received from the latest start message.

You can disable this override when needed. The default behavior keeps the original design.

To enable or disable overriding SSO attribute - CLI

config user radius

edit <name>

set rsso <enable>

set sso-attribute-value-override {enable | disable} Enable/disable override of old attribute value with new value for the same endpoint.

Configuring logging for RSSO

In the config user radius CLI command, you can set the following flags in the rsso-log-flags field to determine which types of RSSO-related events are logged:

  • protocol-error — A RADIUS protocol error occurred.
  • profile-missing — FortiOS cannot find a user group name in a RADIUS start message that matches the name of an RSSO user group in FortiOS.
  • accounting-stop-missed — a user context entry expired without FortiOS receiving a RADIUS Stop message.
  • accounting-event — FortiOS did not find the expected information in a RADIUS record.
  • endpoint-block — FortiOS blocked a user because the RADIUS record’s endpoint block attribute had the value “Block”.
  • radiusd-other — Other events, described in the log message.

Defining local user groups for RADIUS SSO

You cannot use RADIUS user groups directly in security policies. Instead, you create locally-defined user groups on the FortiGate unit and associate each of them with a RADIUS user group.

To define local user groups for RADIUS SSO:
  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the user group.
  3. In Type, select RADIUS Single Sign-On (RSSO).
  4. In RADIUS Attribute Value, enter the name of the RADIUS user group this local user group represents.
  5. Select OK.
To define local user groups for RADIUS SSO:

This example creates an RSSO user group called RSSO-1 that is associated with RADIUS user group “student”.

config user group

edit RSSO-1

set group-type rsso

set sso-attribute-value student

end

note icon RSSO authentication might not work if the list of group memberships is longer than 360 bytes. Group names beyond this limit are ignored.

Creating security policies

RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple policies if user groups can have different UTM features enabled, different permitted services, schedules, and so on.

To create a security policy for RSSO - GUI:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Enter the following information.
  4. Incoming Interface as needed
    Source Address as needed
    Source User(s) Select the user groups you created for RSSO. See Defining local user groups for RADIUS SSO.
    Outgoing Interface as needed
    Destination Address all
    Schedule as needed
    Service as needed
    Action ACCEPT
    Enable NAT Selected
    Security Profiles Select security profiles appropriate for the user group.
  5. Select OK.

    To ensure an RSSO-related policy is matched first, the policy should be placed higher in the security policy list than more general policies for the same interfaces.

  6. Select OK.
To create a security policy for RSSO - CLI:

In this example, an internal network to Internet policy enables web access for members of a student group and activates the appropriate UTM profiles.

config firewall policy

edit 0

set srcintf internal

set dstintf wan1

set srcaddr all

set dstaddr "all"

set action accept

set rsso enable

set groups "RSSO-student"

set schedule always

set service HTTP HTTPS

set nat enable

set utm-status enable

set av-profile students

set webfilter-profile students

set spamfilter-profile students

set dlp-sensor default

set ips-sensor default

set application-list students

set profile-protocol-options "default"

end

Example - webfiltering for student and teacher accounts

The following example uses RADIUS SSO to apply web filtering to students, but not to teachers. Assume that the RADIUS server is already configured to send RADIUS Start and Stop records to the FortiGate unit. There are two RADIUS user groups, students and teachers, recorded in the default attribute Class. The workstations are connected to port1, port2 connects to the RADIUS server, and port3 connects to the Internet.

Configure the student web filter profile:
  1. Go to Security Profiles > Web Filter and select Create New (the “+” button).
  2. Enter the following and select OK.
  3. Name student
    Inspection Mode Proxy
    FortiGuard Categories Enable. Right-click the Potentially Liable category and select Block. Repeat for Adult/Mature Content and Security Risk.
Create the RADIUS SSO agent:
  1. Go to Security Fabric > Fabric Connectors and select Create New.
  2. Under SSO/Identity, select RADIUS Single Sign-On Agent.
  3. Enter a name for the RSSO Agent.
  4. Enable Use RADIUS Shared Secret and enter the RADIUS server's shared secret.
  5. Enable Send RADIUS Responses.
  6. Select OK.
Define local user groups associated with the RADIUS SSO user groups:
  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following and select OK.
  3. Name RSSO-students
    Type RADIUS Single Sign-On (RSSO)
    RADIUS Attribute Value students
  4. Select Create New, enter the following and select OK.
  5. Name RSSO-teachers
    Type RADIUS Single Sign-On (RSSO)
    RADIUS Attribute Value teachers
Create a security policy for students:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter:
  3. Incoming Interface port1
    Source Address all
    Source User(s) RSSO-students
    Source Device Type All
    Outgoing Interface port3
    Destination Address all
    Schedule always
    Service HTTP, HTTPS
    Action ACCEPT
    NAT ON
    Security Profiles Enable AntiVirus, Web Filter, IPS.

    In Web Filter, select the student profile.
  4. Select OK.
Create a security policy for teachers:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter:
  3. Incoming Interface port2
    Source Address all
    Source User(s) RSSO-teachers
    Source Device Type All
    Outgoing Interface port3
    Destination Address all
    Schedule always
    Service ALL
    Action ACCEPT
    NAT ON
    Security Profiles Enable AntiVirus and IPS.
  4. Select OK.

SSO using RADIUS accounting records

A FortiGate unit can authenticate users transparently who have already authenticated on an external RADIUS server. Based on the user group to which the user belongs, the security policy applies the appropriate UTM profiles. RADIUS SSO (RSSO) is relatively simple because the FortiGate unit does not interact with the RADIUS server, it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client). These records include the user’s IP address and user group.

After the initial set-up, changes to the user database, including changes to user group memberships, are made on the external RADIUS server, not on the FortiGate unit.

This section describes:

User’s view of RADIUS SSO authentication

For the user, RADIUS SSO authentication is simple:

  • The user connects to the RADIUS server and authenticates.
  • The user attempts to connect to a network resource that is reached through a FortiGate unit. Authentication is required for access, but the user connects to the destination without being asked for logon credentials because the FortiGate unit knows that the user is already authenticated. FortiOS applies UTM features appropriate to the user groups that the user belongs to.

Configuration overview

The general steps to implement RADIUS Single Sign-On are:

  1. If necessary, configure your RADIUS server. The user database needs to include user group information and the server needs to send accounting messages.
  2. Create the FortiGate RADIUS SSO agent.
  3. Define local user groups that map to RADIUS groups.
  4. Create a security policy which specifies the user groups that are permitted access.

Configuring the RADIUS server

You can configure FortiGate RSSO to work with most RADIUS-based accounting systems. In most cases, you only need to do the following to your RADIUS accounting system:

  • Add a user group name field to customer accounts on the RADIUS server so that the name is added to the RADIUS Start record sent by the accounting system to the FortiOS unit. User group names do not need to be added for all users, only to the accounts of users who will use RSSO feature on the FortiGate unit.
  • Configure your accounting system to send RADIUS Start records to the FortiOS unit. You can send the RADIUS Start records to any FortiGate network interface. If your FortiGate unit is operating with virtual domains (VDOMs) enabled, the RADIUS Start records must be sent to a network interface in the management VDOM.

IPv6 RADIUS support

RADIUS authentication is supported with IPv6, allowing administrators to configure an IPv6 RADIUS server on the FortiGate for IPv6 RADIUS authentication traffic to pass between the server and FortiGate.

note icon Note that while you can set the primary RADIUS server's IPv6 address, the source IP address for communications to the RADIUS server cannot be configured as IPv6.
Syntax

Allow IPv6 access on an interface:

config system interface

edit <name>

config ipv6

set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap}

set ip6-address <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>

next

next

end

Configure the IPv6 RADIUS server:

config user radius

edit <name>

set server <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>

...

next

end

Creating the FortiGate RADIUS SSO agent

Once you define a RADIUS SSO (RSSO) agent, the FortiGate unit will accept user logon information from any RADIUS server that has the same shared secret. You can create only one RSSO agent in each VDOM.

Before you create the RSSO agent, you need to allow RADIUS accounting information on the interface that connects to the RADIUS server.

To enable RADIUS access on the interface - GUI:
  1. Go to Network > Interfaces and edit the interface to which the RADIUS server connected.
  2. Select RADIUS Accounting.
  3. Select OK.
To enable RADIUS access on the interface - CLI:

In this example, the port2 interface is used.

config system interface

edit port2

set allowaccess radius-acct

end

To create a RADIUS SSO agent:
  1. Go to Security Fabric > Fabric Connectors and select Create New.
  2. Select RADIUS Single-Sign-On Agent.
  3. Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.
  4. Select Send RADIUS Responses.
  5. Select OK.
To create a RADIUS SSO agent - CLI:

config user radius

edit RSSO_Agent

set rsso enable

set rsso-validate-request-secret enable

set rsso-secret <your secret>

set rsso-radius-response enable

end

Selecting which RADIUS attributes are used for RSSO

For RADIUS SSO to work, FortiOS needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where FortiOS expects this information, but you can change these attributes in the config user radius CLI command.

RSSO information and RADIUS attribute defaults
RSSO Information RADIUS Attribute CLI field
Endpoint user IP Framed-IP-Address rsso-endpoint-attribute
Endpoint identifier Calling-Station-ID rsso-endpoint-attribute
Endpoint block attribute Called-Station-ID rsso-endpoint-block-attribute
User group Class sso-attribute
User Prefix delegated-IPv6-prefix
User Prefix framed-IPv6-prefix

The Endpoint block attribute can be used to block or allow a user. If the attribute value is set to the name of an attribute that indicates whether to block or allow, FortiOS blocks or allows respectively all traffic from that user’s IP address. The RSSO fields are visible only when rsso is set to enable.

The Prefix attributes allow for RSSO to provide a /56 prefix for DSL customers. All devices connected from the same location (/56 per subscriber) can be mapped to the same profile without the need to create multiple /64 or smaller entries.

Override SSO attribute

Prior to FortiOS 5.4, when receiving a new start message with a different group name for the same user, and a different IP address such as for a roaming mobile device, the original process was to override all group name information to the latest group name received from the latest start message.

You can disable this override when needed. The default behavior keeps the original design.

To enable or disable overriding SSO attribute - CLI

config user radius

edit <name>

set rsso <enable>

set sso-attribute-value-override {enable | disable} Enable/disable override of old attribute value with new value for the same endpoint.

Configuring logging for RSSO

In the config user radius CLI command, you can set the following flags in the rsso-log-flags field to determine which types of RSSO-related events are logged:

  • protocol-error — A RADIUS protocol error occurred.
  • profile-missing — FortiOS cannot find a user group name in a RADIUS start message that matches the name of an RSSO user group in FortiOS.
  • accounting-stop-missed — a user context entry expired without FortiOS receiving a RADIUS Stop message.
  • accounting-event — FortiOS did not find the expected information in a RADIUS record.
  • endpoint-block — FortiOS blocked a user because the RADIUS record’s endpoint block attribute had the value “Block”.
  • radiusd-other — Other events, described in the log message.

Defining local user groups for RADIUS SSO

You cannot use RADIUS user groups directly in security policies. Instead, you create locally-defined user groups on the FortiGate unit and associate each of them with a RADIUS user group.

To define local user groups for RADIUS SSO:
  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the user group.
  3. In Type, select RADIUS Single Sign-On (RSSO).
  4. In RADIUS Attribute Value, enter the name of the RADIUS user group this local user group represents.
  5. Select OK.
To define local user groups for RADIUS SSO:

This example creates an RSSO user group called RSSO-1 that is associated with RADIUS user group “student”.

config user group

edit RSSO-1

set group-type rsso

set sso-attribute-value student

end

note icon RSSO authentication might not work if the list of group memberships is longer than 360 bytes. Group names beyond this limit are ignored.

Creating security policies

RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple policies if user groups can have different UTM features enabled, different permitted services, schedules, and so on.

To create a security policy for RSSO - GUI:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Enter the following information.
  4. Incoming Interface as needed
    Source Address as needed
    Source User(s) Select the user groups you created for RSSO. See Defining local user groups for RADIUS SSO.
    Outgoing Interface as needed
    Destination Address all
    Schedule as needed
    Service as needed
    Action ACCEPT
    Enable NAT Selected
    Security Profiles Select security profiles appropriate for the user group.
  5. Select OK.

    To ensure an RSSO-related policy is matched first, the policy should be placed higher in the security policy list than more general policies for the same interfaces.

  6. Select OK.
To create a security policy for RSSO - CLI:

In this example, an internal network to Internet policy enables web access for members of a student group and activates the appropriate UTM profiles.

config firewall policy

edit 0

set srcintf internal

set dstintf wan1

set srcaddr all

set dstaddr "all"

set action accept

set rsso enable

set groups "RSSO-student"

set schedule always

set service HTTP HTTPS

set nat enable

set utm-status enable

set av-profile students

set webfilter-profile students

set spamfilter-profile students

set dlp-sensor default

set ips-sensor default

set application-list students

set profile-protocol-options "default"

end

Example - webfiltering for student and teacher accounts

The following example uses RADIUS SSO to apply web filtering to students, but not to teachers. Assume that the RADIUS server is already configured to send RADIUS Start and Stop records to the FortiGate unit. There are two RADIUS user groups, students and teachers, recorded in the default attribute Class. The workstations are connected to port1, port2 connects to the RADIUS server, and port3 connects to the Internet.

Configure the student web filter profile:
  1. Go to Security Profiles > Web Filter and select Create New (the “+” button).
  2. Enter the following and select OK.
  3. Name student
    Inspection Mode Proxy
    FortiGuard Categories Enable. Right-click the Potentially Liable category and select Block. Repeat for Adult/Mature Content and Security Risk.
Create the RADIUS SSO agent:
  1. Go to Security Fabric > Fabric Connectors and select Create New.
  2. Under SSO/Identity, select RADIUS Single Sign-On Agent.
  3. Enter a name for the RSSO Agent.
  4. Enable Use RADIUS Shared Secret and enter the RADIUS server's shared secret.
  5. Enable Send RADIUS Responses.
  6. Select OK.
Define local user groups associated with the RADIUS SSO user groups:
  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following and select OK.
  3. Name RSSO-students
    Type RADIUS Single Sign-On (RSSO)
    RADIUS Attribute Value students
  4. Select Create New, enter the following and select OK.
  5. Name RSSO-teachers
    Type RADIUS Single Sign-On (RSSO)
    RADIUS Attribute Value teachers
Create a security policy for students:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter:
  3. Incoming Interface port1
    Source Address all
    Source User(s) RSSO-students
    Source Device Type All
    Outgoing Interface port3
    Destination Address all
    Schedule always
    Service HTTP, HTTPS
    Action ACCEPT
    NAT ON
    Security Profiles Enable AntiVirus, Web Filter, IPS.

    In Web Filter, select the student profile.
  4. Select OK.
Create a security policy for teachers:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter:
  3. Incoming Interface port2
    Source Address all
    Source User(s) RSSO-teachers
    Source Device Type All
    Outgoing Interface port3
    Destination Address all
    Schedule always
    Service ALL
    Action ACCEPT
    NAT ON
    Security Profiles Enable AntiVirus and IPS.
  4. Select OK.