SSO using RADIUS accounting records

A FortiProxy unit can authenticate users transparently who have already authenticated on an external RADIUS server. Based on the user group to which the user belongs, the security policy applies the appropriate profiles. RADIUS SSO (RSSO) is relatively simple because the FortiProxy unit does not interact with the RADIU server, it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client). These records include the user’s IP address and user group.

After the initial setup, changes to the user database, including changes to user group memberships, are made on the external RADIUS server, not on the FortiProxy unit.

The following are the general steps to implement RADIUS Single Sign-On:

If necessary, configure your RADIUS server. The user database needs to include user group information and the server needs to send accounting messages.
Create the FortiProxy RADIUS SSO agent.
Define local user groups that map to RADIUS groups.
Create an authentication scheme.
Create an authentication rule.
Create a security policy that specifies the user groups that are permitted access.

Step 1: Configure your RADIUS server

You need to allow RADIUS accounting information on the interface that connects to the RADIUS server.

config system interface

edit port1

set allowaccess ping https ssh snmp http telnet radius-acct

end

Step 2: Create the FortiProxy RADIUS SSO agent

After you define a RADIUS SSO (RSSO) agent, the FortiProxy unit will accept user logon information from any RADIUS server that has the same shared secret.

For RADIUS SSO to work, the FortiProxy unit needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where the FortiProxy unit expects this information, but you can change these attributes in the config user radius CLI command.

The Endpoint block attribute (rsso-endpoint-blockattribute) can be used to block or allow a user.

You can set the following flags in the rsso-log-flags field to determine which types of RSSO-related events are logged:

protocol-error—A RADIUS protocol error occurred.
profile-missing—The FortiProxy unit cannot find a user group name in a RADIUS start message that matches the name of an RSSO user group in the FortiProxy unit.
accounting-stop-missed—a user context entry expired without the FortiProxy unit receiving a RADIUS Stop message.
accounting-event—The FortiProxy unit did not find the expected information in a RADIUS record.
endpoint-block—The FortiProxy unit blocked a user because the RADIUS record’s endpoint block attribute had the value “Block”.
radiusd-other—Other events, described in the log message.

config user radius

edit "rsso_agent"

set timeout 5

set radius-coa disable

set h3c-compatibility disable

set username-case-sensitive disable

set password-renewal disable

set password-encoding auto

set rsso enable

set rsso-radius-server-port 1813

set rsso-radius-response enable

set rsso-validate-request-secret enable

set rsso-secret ENC hmIbfaxpWNCebo/+Fk1cOswB1LHNQqQONJNHlDbZIdQ9PaPOo/NvhNyYz/GjKMtAx9USsiznqj32tiHTrma2+NhiOQw1swfT0K/iROrpdu6QFXIXUpkMmbBR7tHZmtkOAexSXptI2nZtnhL2kZ1isRMmIsol3GNLLiuz2cn1JhQ7uT9EkipKyjHZdDvn56YJcIe4+Q==

set rsso-endpoint-attribute Calling-Station-Id

unset rsso-endpoint-block-attribute

set sso-attribute Class

set sso-attribute-key ''

set sso-attribute-value-override enable

set rsso-context-timeout 28800

set rsso-log-period 0

set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other

set rsso-flush-ip-session disable

set rsso-ep-one-ip-only disable

end

Step 3: Define local user groups that map to RADIUS groups

You cannot use RADIUS user groups directly in security policies. Instead, you create locally defined user groups on the FortiProxy unit and associate each of them with a RADIUS user group.

This example creates an RSSO user group called RSSO-1 that is associated with RADIUS user group student.

config user group

edit RSSO-1

set group-type rsso

set sso-attribute-value student

end

Step 4: Create an authentication scheme

config authentication scheme

edit "rsso"

set method rsso

end

Step 5: Create an authentication rule

config authentication rule

edit rsso_r1

set srcintf port1

set srcaddr all

set dstaddr all

set sso-auth-method rsso

end

Step 6: Create a security policy

RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple policies if user groups can have different UTM features enabled, different permitted services, schedules, and so on.

config firewall policy

edit 3

set type explicit-web

set explicit-web-proxy "web-proxy"

set dstintf "any"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "webproxy"

set groups "RSSO-1"

set utm-status enable

end

SSO using RADIUS accounting records

After the initial setup, changes to the user database, including changes to user group memberships, are made on the external RADIUS server, not on the FortiProxy unit.

The following are the general steps to implement RADIUS Single Sign-On:

If necessary, configure your RADIUS server. The user database needs to include user group information and the server needs to send accounting messages.
Create the FortiProxy RADIUS SSO agent.
Define local user groups that map to RADIUS groups.
Create an authentication scheme.
Create an authentication rule.
Create a security policy that specifies the user groups that are permitted access.

Step 1: Configure your RADIUS server

You need to allow RADIUS accounting information on the interface that connects to the RADIUS server.

config system interface

edit port1

set allowaccess ping https ssh snmp http telnet radius-acct

end

Step 2: Create the FortiProxy RADIUS SSO agent

After you define a RADIUS SSO (RSSO) agent, the FortiProxy unit will accept user logon information from any RADIUS server that has the same shared secret.

The Endpoint block attribute (rsso-endpoint-blockattribute) can be used to block or allow a user.

You can set the following flags in the rsso-log-flags field to determine which types of RSSO-related events are logged:

protocol-error—A RADIUS protocol error occurred.
profile-missing—The FortiProxy unit cannot find a user group name in a RADIUS start message that matches the name of an RSSO user group in the FortiProxy unit.
accounting-stop-missed—a user context entry expired without the FortiProxy unit receiving a RADIUS Stop message.
accounting-event—The FortiProxy unit did not find the expected information in a RADIUS record.
endpoint-block—The FortiProxy unit blocked a user because the RADIUS record’s endpoint block attribute had the value “Block”.
radiusd-other—Other events, described in the log message.

config user radius

edit "rsso_agent"

set timeout 5

set radius-coa disable

set h3c-compatibility disable

set username-case-sensitive disable

set password-renewal disable

set password-encoding auto

set rsso enable

set rsso-radius-server-port 1813

set rsso-radius-response enable

set rsso-validate-request-secret enable

set rsso-endpoint-attribute Calling-Station-Id

unset rsso-endpoint-block-attribute

set sso-attribute Class

set sso-attribute-key ''

set sso-attribute-value-override enable

set rsso-context-timeout 28800

set rsso-log-period 0

set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other

set rsso-flush-ip-session disable

set rsso-ep-one-ip-only disable

end

Step 3: Define local user groups that map to RADIUS groups

You cannot use RADIUS user groups directly in security policies. Instead, you create locally defined user groups on the FortiProxy unit and associate each of them with a RADIUS user group.

This example creates an RSSO user group called RSSO-1 that is associated with RADIUS user group student.

config user group

edit RSSO-1

set group-type rsso

set sso-attribute-value student

end

Step 4: Create an authentication scheme

config authentication scheme

edit "rsso"

set method rsso

end

Step 5: Create an authentication rule

config authentication rule

edit rsso_r1

set srcintf port1

set srcaddr all

set dstaddr all

set sso-auth-method rsso

end

Step 6: Create a security policy

config firewall policy

edit 3

set type explicit-web

set explicit-web-proxy "web-proxy"

set dstintf "any"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "webproxy"

set groups "RSSO-1"

set utm-status enable

end

FortiProxy Authentication Guide

SSO using RADIUS accounting records

SSO using RADIUS accounting records

Step 1: Configure your RADIUS server

Step 2: Create the FortiProxy RADIUS SSO agent

Step 3: Define local user groups that map to RADIUS groups

Step 4: Create an authentication scheme

Step 5: Create an authentication rule

Step 6: Create a security policy

SSO using RADIUS accounting records

Step 1: Configure your RADIUS server

Step 2: Create the FortiProxy RADIUS SSO agent

Step 3: Define local user groups that map to RADIUS groups

Step 4: Create an authentication scheme

Step 5: Create an authentication rule

Step 6: Create a security policy