Fortigate / Radius / FSSO / (NPS) / 802.11x / Wireless

Question

Hi.

I manage something like 10 sites that each have a fortigate fw, a dc that replicate with the rest of the sites, a wireless nettwork (cisco/aerohive/meru), an nps at each site.

The users are mainly tree groups

admin

teachers

students

Teachers are able to control the students internett by adding the users into groups in ad, by in that way the radius auth trig them into different Radius Single Sign on Groups, also the users is put in different vlans based on ad-groups.

Though there are issues with the setup.

- Even though the nps authenticate correct, the firewall doesn't always put the user in the correct group. Feels like package loss between the nps and the firewall or something in that manner.

- In the current setup when the teacher change the (ad) group of what the student is able to access, the student is not kicked out of the network so the student it self has to on/off wireless to thereby reach the correct state of connectivity.

The setup was mostly setup similar to this:

https://travelingpacket.com/2015/07/23/fortigate-radius-sso-with-ruckus-802-1x-logins-using-nps/

1: I wonder, is there a better way of doing this? (like fortiauthenticator or something else?)

2: Is there a way to kick out the user (or having the firewall to reread ad / access so the new access state is always correct)?

3: any tips of why the firewall doesn't always receive the radius account message (or tips on how to troubleshoot?)

Thanks!

xsilver_FTNT · Answer

Hi leif,

I'll try to provide my point of view. First note that once is the user authenticated then there is auth and data session on FortiGate (FGT) and so traffic allowed by some criteria and according to settings (routing, UTM profiles, group membership from time of authentication).

There is usually no group membership update. Not in RSSO ended on FGT as mentioned in the guide.

This guides me to your questions and bellow answers/ideas.

1. yes it could be better but might be also more complicated. I'd suggest to check FSSO. Especially standalone Collector Agent or Collector inside FortiAuthenticator (FAC). Those can terminate RSSO (read RADIUS Accountig Start/End) and gather user group membership. Both should be able to do periodical checks via LDAP and update group membership. Then update connected FGT units. This could be centralized, but pay attention to network distance and delays.

2. you can filter out user's authentication on FGT and remove it, forcing reconnect and re-authentication.

in CLI:

#1 filter out user

diag firewall auth filter <user|source> <input> ... to filter out users by name or source IP or other criteria

#2 check if you have caught just user you want, just filtered users will be listed

diag firewall auth user list

#3 remove the filtered ones

diag firewall auth clear

Alternatively group membership can be checked by Collector and updated, see 1.

3. tip on troubleshooting missing RADIUS is simple, catch the traffic first. It might appear that FGT is simply not getting packets at all. Simple network troubleshooting scenario as for any packets.

#sniff .. are there any packets coming when they should ?

diag sniff packet any 'port 1813' 4 0 a

# if so, do they contain required data, collect as bellow or from GUI and check in Wireshark (output need to be converted)

diag sniff packet any 'port 1813' 6 0 a

# no data -> check RADIUS if it sent those and where

# data but not getting into RSSO -> check content and group matching criteria on rsso type groups as user might be member of unused group only which will not make him record on FGT.

Those are some initial hints and steps I would try and following steps will depend on the results of those.

Best regards,

Tomas

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded