Technical Tip: Radius Single Sign-On (RSSO)

Description

This article describes that when the user is connected to the LAN and is successfully authenticated by Active Directory, DC’s security event log can be polled for logon events and this information is sent to FortiGate to record the IP address, Username, and  Group information associated to that event.  Users may have a static  IP  or may have a DHCP  server assigning the IP address.

If this is a laptop, for example, most of the time, authentication requests are made using the  Ethernet interface  (default setting). 
When the user is disconnected from a wired connection, FortiGate does not know the IP address of the wireless interface on this laptop, and now the user is no longer authenticated to the firewall.

The user may have to sign out and sign back in to make the authentication request via wireless IP. This is where  RSSO  comes into the picture. RSSO  uses the wireless authentication(802.1x)  request from the Radius server, authenticating that request via Radius Accounting.
That will be discussed more about this in a bit. 

Typically, RSSO is a solution when a third-party AP is used, but that does not restrict the administrator from using this solution with FortiAP.

Scope

FortiGate.

Solution

The authentication flow and setup are described in the attached document.