Fortinet black logo

FortiProxy Authentication Guide

Home FortiProxy 7.4.0 FortiProxy Authentication Guide
7.4.0
7.4.0
7.2.0
2.0.2

SSO using RADIUS accounting records

SSO using RADIUS accounting records

A FortiProxy unit can authenticate users transparently who have already authenticated on an external RADIUS server. Based on the user group to which the user belongs, the security policy applies the appropriate profiles. RADIUS SSO (RSSO) is relatively simple because the FortiProxy unit does not interact with the RADIU server, it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client). These records include the user’s IP address and user group.

After the initial setup, changes to the user database, including changes to user group memberships, are made on the external RADIUS server, not on the FortiProxy unit.

The following are the general steps to implement RADIUS Single Sign-On:

  1. If necessary, configure your RADIUS server. The user database needs to include user group information and the server needs to send accounting messages.
  2. Create the FortiProxy RADIUS SSO agent.
  3. Define local user groups that map to RADIUS groups.
  4. Create an authentication scheme.
  5. Create an authentication rule.
  6. Create a security policy that specifies the user groups that are permitted access.

Step 1: Configure your RADIUS server

You need to allow RADIUS accounting information on the interface that connects to the RADIUS server.

config system interface

edit port1

set allowaccess ping https ssh snmp http telnet radius-acct

end

Step 2: Create the FortiProxy RADIUS SSO agent

After you define a RADIUS SSO (RSSO) agent, the FortiProxy unit will accept user logon information from any RADIUS server that has the same shared secret.

For RADIUS SSO to work, the FortiProxy unit needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where the FortiProxy unit expects this information, but you can change these attributes in the config user radius CLI command.

config user radius

edit "rad"

set server "172.18.20.187"

set secret ENC n0xEdFWDZ9MnduCrhRwi25bac5HieCmULoOKWWVEtk/ChCXleCD7764KZF+hOW/HRsS9p3Pzy+fBaZkSYrGd6iYpqzncOvqGurIE3kPrjG2CHMZW/D+Pqb3fUUm3OKpugGSQ92RSq86Lf9P2BnSJparQ1k+qcL/TYxcYz+HLKCZUh0u1u9d8AB13IeXNS5JUwBEsMA==

set timeout 5

set all-usergroup enable

set use-management-vdom disable

set nas-ip 0.0.0.0

set acct-interim-interval 0

set radius-coa disable

set radius-port 0

set h3c-compatibility disable

set auth-type auto

set source-ip ''

set username-case-sensitive disable

unset group-override-attr-type

set password-renewal enable

set password-encoding auto

set acct-all-servers disable

set switch-controller-acct-fast-framedip-detect 2

set interface-select-method auto

unset switch-controller-service-type

set rsso disable set secondary-server ''

set secondary-secret ENC cGMWRpvIAQ3+HTaZxiKecx9Sw0XCK9HUQHbO4tWorl9E2078+uAAxXnNnpbdLpe2kRE4F+NcpU0PSfAUhRmpTX0R1gDF20Wx0MabaCAh7qbpXM7F1OSuGA+5aO+Kh0+vHRoyL7DWxPjKEeRiOvkxb9rKhriXCPeSlhvILvNTsl2ixSmDXuVbRCysjmX6HNgk8XjENQ==

set tertiary-server ''

set tertiary-secret ENC uhjWSJ5QU2u5kmSEc0GY7MDA2JXeT1LSTsDg6DkLXjmqJxgdOA3rauvnIab+nttEzvYtSZHTMWisCUssKQeY6WJWQZzklA2sa5+FEVh02ba40SAN71zz9ZKQFy/GU4xa5KTyQ5l3JOhZwaB2u9Vu/O/n+dRcTQ2GILfH1Y0fRmM+Qy02ahFTx5Dm4yEdiiM9JZ4tDw== next

end

Step 3: Define local user groups that map to RADIUS groups

You cannot use RADIUS user groups directly in security policies. Instead, you create locally defined user groups on the FortiProxy unit and associate each of them with a RADIUS user group.

This example creates an RSSO user group called RSSO-1 that is associated with RADIUS user group student.

config user group

edit RSSO-1

set group-type rsso

set sso-attribute-value student

end

Step 4: Create an authentication scheme

config authentication scheme

edit "rsso"

set method rsso

next

end

Step 5: Create an authentication rule

config authentication rule

edit rsso_r1

set srcintf port1

set srcaddr all

set dstaddr all

set sso-auth-method rsso

end

Step 6: Create a security policy

RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple policies if user groups can have different UTM features enabled, different permitted services, schedules, and so on.

config firewall policy

edit 3

set type explicit-web

set explicit-web-proxy "web-proxy"

set dstintf "any"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "webproxy"

set groups "RSSO-1"

set utm-status enable

next

end

Previous
Next

SSO using RADIUS accounting records

A FortiProxy unit can authenticate users transparently who have already authenticated on an external RADIUS server. Based on the user group to which the user belongs, the security policy applies the appropriate profiles. RADIUS SSO (RSSO) is relatively simple because the FortiProxy unit does not interact with the RADIU server, it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client). These records include the user’s IP address and user group.

After the initial setup, changes to the user database, including changes to user group memberships, are made on the external RADIUS server, not on the FortiProxy unit.

The following are the general steps to implement RADIUS Single Sign-On:

  1. If necessary, configure your RADIUS server. The user database needs to include user group information and the server needs to send accounting messages.
  2. Create the FortiProxy RADIUS SSO agent.
  3. Define local user groups that map to RADIUS groups.
  4. Create an authentication scheme.
  5. Create an authentication rule.
  6. Create a security policy that specifies the user groups that are permitted access.

Step 1: Configure your RADIUS server

You need to allow RADIUS accounting information on the interface that connects to the RADIUS server.

config system interface

edit port1

set allowaccess ping https ssh snmp http telnet radius-acct

end

Step 2: Create the FortiProxy RADIUS SSO agent

After you define a RADIUS SSO (RSSO) agent, the FortiProxy unit will accept user logon information from any RADIUS server that has the same shared secret.

For RADIUS SSO to work, the FortiProxy unit needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where the FortiProxy unit expects this information, but you can change these attributes in the config user radius CLI command.

config user radius

edit "rad"

set server "172.18.20.187"

set secret ENC n0xEdFWDZ9MnduCrhRwi25bac5HieCmULoOKWWVEtk/ChCXleCD7764KZF+hOW/HRsS9p3Pzy+fBaZkSYrGd6iYpqzncOvqGurIE3kPrjG2CHMZW/D+Pqb3fUUm3OKpugGSQ92RSq86Lf9P2BnSJparQ1k+qcL/TYxcYz+HLKCZUh0u1u9d8AB13IeXNS5JUwBEsMA==

set timeout 5

set all-usergroup enable

set use-management-vdom disable

set nas-ip 0.0.0.0

set acct-interim-interval 0

set radius-coa disable

set radius-port 0

set h3c-compatibility disable

set auth-type auto

set source-ip ''

set username-case-sensitive disable

unset group-override-attr-type

set password-renewal enable

set password-encoding auto

set acct-all-servers disable

set switch-controller-acct-fast-framedip-detect 2

set interface-select-method auto

unset switch-controller-service-type

set rsso disable set secondary-server ''

set secondary-secret ENC cGMWRpvIAQ3+HTaZxiKecx9Sw0XCK9HUQHbO4tWorl9E2078+uAAxXnNnpbdLpe2kRE4F+NcpU0PSfAUhRmpTX0R1gDF20Wx0MabaCAh7qbpXM7F1OSuGA+5aO+Kh0+vHRoyL7DWxPjKEeRiOvkxb9rKhriXCPeSlhvILvNTsl2ixSmDXuVbRCysjmX6HNgk8XjENQ==

set tertiary-server ''

set tertiary-secret ENC uhjWSJ5QU2u5kmSEc0GY7MDA2JXeT1LSTsDg6DkLXjmqJxgdOA3rauvnIab+nttEzvYtSZHTMWisCUssKQeY6WJWQZzklA2sa5+FEVh02ba40SAN71zz9ZKQFy/GU4xa5KTyQ5l3JOhZwaB2u9Vu/O/n+dRcTQ2GILfH1Y0fRmM+Qy02ahFTx5Dm4yEdiiM9JZ4tDw== next

end

Step 3: Define local user groups that map to RADIUS groups

You cannot use RADIUS user groups directly in security policies. Instead, you create locally defined user groups on the FortiProxy unit and associate each of them with a RADIUS user group.

This example creates an RSSO user group called RSSO-1 that is associated with RADIUS user group student.

config user group

edit RSSO-1

set group-type rsso

set sso-attribute-value student

end

Step 4: Create an authentication scheme

config authentication scheme

edit "rsso"

set method rsso

next

end

Step 5: Create an authentication rule

config authentication rule

edit rsso_r1

set srcintf port1

set srcaddr all

set dstaddr all

set sso-auth-method rsso

end

Step 6: Create a security policy

RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple policies if user groups can have different UTM features enabled, different permitted services, schedules, and so on.

config firewall policy

edit 3

set type explicit-web

set explicit-web-proxy "web-proxy"

set dstintf "any"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "webproxy"

set groups "RSSO-1"

set utm-status enable

next

end

Previous
Next