Skip to main content
masokan_ftnt
Staff
masokan_ftnt
Staff
February 18, 2025

Technical Tip: Configure Fortinet Single Sign On (FSSO) for Dialup IPsec VPN users via Radius-Accounting

  • February 18, 2025
  • 0 replies
  • 2571 views
Description This article describes how to configure the FSSO CA Radius accounting setting to receive accounting details from a RADIUS server and use that data to authenticate users on the FSSO CA.
Scope FortiGate.
Solution

Radius_FSSO.png

 

IPSec will be used for this use case, but the same can also be achieved with SSL VPN.

 

IPSec configuration, IKEv2 with peerid defined:

 

config vpn ipsec phase1-interface
    edit "FCT-VPN"
        set type dynamic
        set interface "port2"
        set ike-version 2
        set peertype one
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 10.191.35.53
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set dpd on-idle
        set dhgrp 20
        set eap enable
        set eap-identity send-request
        set authusrgrp "ipsec-vpn-admin"
        set peerid "dialup2"
        set ipv4-start-ip 192.168.10.1
        set ipv4-end-ip 192.168.10.10
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC e+mq0a1k17e+Aa  
        set dpd-retryinterval 60
    next
end

config vpn ipsec phase2-interface
    edit "FCT-VPN-TEST"
        set phase1name "FCT-VPN"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set dhgrp 20
    next
end

 

RADIUS configuration (the accounting needs to be configured on the CLI):

 

config user radius
    edit "radius01"
        set server "10.191.35.53"
        set secret ENC 0ueCcsRMVRcfr5nElt
        set timeout 30
        set acct-interim-interval 600
        set auth-type ms_chap_v2
            config accounting-server
                edit 1
                    set status enable
                    set server "10.191.35.53"
                    set secret ENC ILCYdcfrWy/Bd6e7xtrI
                    set port 1813
                next
            end
    next
end

 

Group configuration:

 

config user group
    edit "ipsec-vpn-admin"
        set member "radius01"
    next
end

 

Now the configuration on the RADIUS Server (Windows NPS):

  • Configuration of the RADIUS Client: Defining RADIUS Client (FortiGate) and shared secret.

 

radius_client.png

 

  • Configuration of the Remote RADIUS Server: Here, it should be configured with the details of the FSSO CA Server for Accounting.

 

remote_radius.png

 

remote_radius1.png

 

remote_radius2.png

 

  • Configuration of the CRQ (connection request policy): Configuring connection request policy to authenticate in this server and forward accounting to the FSSO CA server using the 'FSSO_CA' Remote Radius Server Group (created on the previous step).

 

radius_crp.png

 

radius_crp2.png

 

  • Configuration of the NP (network policies): Here it should be configured the users/groups that should be authenticated using EAP-MS-CHAPv2.

 

radius_np.png

 

radius_np1.png

 

radius_np2.png

 

  • Configuration of FSSO CA: On the FSSO CA server, RADIUS Accounting should be configured on Advanced Settings -> RADIUS Accounting with the port and shared secret used on the NPS Server.

 

fsso_ca.png

 

What happens behind the scenes when authentication and accounting processes are initiated?

 

After the successful authorization and authentication (for that check RADIUS messages here: Technical Tip: Explanation of authentication methods of a radius server setting on a FortiGate), the FortiGate sends an Accounting-Request (Start) to the RADIUS Server (NPS), and RADIUS Server will proxy this Accounting-Request (Start) to the FSSO CA.

The FSSO CA will reply with an Accounting-Response to the RADIUS Server, and this reply will go to the FortiGate.

 

In a diagram, it should be something like this: 

 

Radius_accounting_start.drawio.png

 

A capture on the RADIUS Server will show us the Accounting Messages exchanged between the FortiGate and RADIUS Server and between the RADIUS Server and FSSO CA.

 

  • Accounting-Request (Start) between FortiGate and RADIUS Server.

 

request_fgt.png

 

  • Accounting-Request (Start) between RADIUS Server and FSSO CA.

 

wireshark_proxy.png

 

Analyzing the fnbamd output, the Accounting-Request (Start) and Accounting-Response should be like this:

 

FGT # diagnose debug app fnbamd -1

FGT # diagnose debug enable

[1075] fnbamd_cfg_get_radius_acct_list-
[456] fnbamd_rad_get-vfid=0, name='radius01'
[1082] fnbamd_cfg_get_radius_acct_list-Loaded RADIUS server 'radius01'
[1091] fnbamd_cfg_get_radius_acct_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1172] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
[1107] __auth_ctx_svr_push-Added addr 10.191.35.53:1813 from rad 'radius01'
[930] __fnbamd_rad_get_next_addr-Next available address of rad 'radius01': 10.191.35.53:1813.
[1125] __auth_ctx_start-Connection starts radius01:10.191.35.53, addr 10.191.35.53:1813 proto: UDP
[280] __rad_udp_open-Opened radius socket 10, sa_family 2
[945] __rad_conn_start-Socket 10 is created for rad 'radius01'.
[807] __rad_add_job_timer-
[1447] create_acct_session-Acct type 6 session created, 0xf4f5b10
[828] __rad_rxtx-fd 10, state 4(Acct) <---- Accounting Request.
[830] __rad_rxtx-Stop rad conn timer.
[837] __rad_rxtx-
[1041] fnbamd_rad_make_acct_request-
[989] __create_acct_request-Compose RADIUS request
[1028] __create_acct_request-Created RADIUS Acct-Request. Len: 186.
[1171] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 10.191.35.53:1813, source address is null, protocol number is 17, oif id is 0
[353] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[868] __rad_rxtx-Sent radius req to server 'radius01': fd=10, IP=10.191.35.53(10.191.35.53:1813) code=4 id=70 len=186
[877] __rad_rxtx-Start rad conn timer.
[828] __rad_rxtx-fd 10, state 4(Acct)
[830] __rad_rxtx-Stop rad conn timer.
[880] __rad_rxtx-
[431] __rad_udp_recv-Recved 20 bytes. Buf sz 8192
[1095] fnbamd_rad_validate_acct_pkt-RADIUS resp code 5  <---- Accounting Response.
[912] __rad_rxtx-
[2971] fnbamd_rad_acct_result-res 0, session 0xf4f5b10, id = 0
[2976] fnbamd_rad_acct_result-Acct session completed
[1347] fnbamd_rads_destroy-
[516] fnbamd_rad_auth_ctx_free-Freeing 'radius01' ctx
[1219] fnbamd_rad_auth_ctx_uninit-
[969] __rad_stop-
[306] __rad_udp_close-closed.
[964] __rad_conn_stop-Stop rad conn timer.
[784] __rad_del_job_timer-
[364] fnbamd_rad_free-Freeing radius01, ref:2
[41] __rad_server_free-Freeing 10.191.35.53, ref:2
[519] fnbamd_rad_auth_ctx_free-
[1350] fnbamd_rads_destroy-
[1354] destroy_acct_session-Acct session destroyed

 

After a successful authentication and accounting as user 'normal.user', the FSSO CA 'Logon users list' and firewall auth list displays will display the information from the authenticated users.

 

during.png

 

FGT # diagnose firewall auth list

192.168.10.1, NORMAL.USER
type: fsso, id: 0, duration: 30, idled: 10
server: FSSO_CA
packets: in 17 out 284, bytes: in 3124 out 22353
group_id: 33554439 33554483 33554455
group_name: CONTOSO/DOMAIN USERS CONTOSO/IPSEC-VPN-RESTRICT CONTOSO/USERS

----- 2 listed, 0 filtered ------

 

An example of accessing the web server (10.191.35.53 with FQDN intranet.contoso.com) with two different users from two different groups (from IPSec VPN) will be used for testing:

 

  • Advanced user (advanced.user): User belonging to 'IPSEC-VPN-ADMIN' group that will access the web server through policy ID 2.

 

  • Normal user (normal.user): User belonging to 'IPSEC-VPN-RESTRICT' group in which the access to the webserver will match policy ID 3 and will be blocked by the Web Filter profile with a Web Filter message. This last step is optional, it could be a simple deny policy without using any UTM profile.

 

Policy.png

 

webfilter_merged.png

 

After trying to reach intranet.contoso.com with user 'normal.user', this is the output.

 

web_site.png

 

date=2025-05-29 time=15:17:51 eventtime=1748528271058134316 tz="+0100" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.10.1 srcport=61571 srcintf="FCT-VPN" srcintfrole="undefined" dstip=10.191.35.53 dstport=80 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=55573 proto=6 action="close" policyid=3 policytype="policy" poluuid="5ff5b85c-3bb8-51f0-af81-64a0ccf80d79" policyname="To_Servers_block" user="NORMAL.USER" authserver="FSSO_CA" dstuser="ADMINISTRATOR" service="HTTP" trandisp="snat" transip=10.191.35.40 transport=61571 appcat="unscanned" duration=40 sentbyte=572 rcvdbyte=36642 sentpkt=14 rcvdpkt=30 vpntype="ipsecvpn" utmaction="block" countweb=1 utmref=65528-14

 

date=2025-05-29 time=15:26:49 eventtime=1748528808853897976 tz="+0100" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.10.1 srcport=54542 srcintf="FCT-VPN" srcintfrole="undefined" dstip=10.191.35.53 dstport=80 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=56516 proto=6 action="accept" policyid=2 policytype="policy" poluuid="c6b1a8ea-3bb7-51f0-94f6-241965f45166" policyname="To_Servers" user="ADVANCED.USER" group="CONTOSO/IPSEC-VPN-ADMIN" authserver="FSSO_CA" dstuser="ADMINISTRATOR" service="HTTP" trandisp="snat" transip=10.191.35.40 transport=54542 appcat="unscanned" duration=125 sentbyte=1181 rcvdbyte=4187 sentpkt=8 rcvdpkt=8 vpntype="ipsecvpn" sentdelta=1181 rcvddelta=4187 durationdelta=125 sentpktdelta=8 rcvdpktdelta=8

 

Related articles

Technical Tip: Explanation of authentication methods of a radius server setting on a FortiGate 

Technical Tip: Configuring a Radius server 
    Terms & ConditionsAccessibility statement