Skip to main content
eby
eby
New Member
March 2, 2016
Question

FSSO cannot read Windows NPS user logins

  • March 2, 2016
  • 1 reply
  • 9158 views

I have FSSO Agent based authentication for internet access, this works for wired Windows users. I've setup Wireless controller to use Radius for AAA. Clients that are getting authenticated thru Windows NPS are unable to browse the internet as FSSO Agent is not reading NPS userlogins thus unable to.

How do i get Fortigate Agent to read NPS information and pass it to Fortigate ?. I don't want to create new "User Group" for NPS, but must retain whatever group that is already assigned in AD. Is this even possible ?.

1 reply

Fishbone_FTNT
Staff
Fishbone_FTNT
Staff
March 2, 2016

Hi eby,

I don't know your design in detail, but it doesn't seem to me that NPS will trigger authentication events you need to have FSSO logon.

In your case you can however utilize RSSO; SSO method based on Radius Accounting. Radius Accounting can be sent to either FSSO CA (versions >=200), or to any FortiGate running FortiOS 5.0 and later. If you choose to go RSSO way, please check that Radius Accounting packets should contain all necessary information, which is mainly username and IP address (usually User-Name and Framed-IP-Address attributes). Without them RSSO won't work.

 

Cheers,

 Fishbone )(

eby
ebyAuthor
New Member
March 3, 2016

Hi Fishbone,

My design is simple. All windows systems use AD and FSSO Agent for Internet Access. Linux systems are joined to AD, but have static IP based firewall rules for internet, I couldn't get FSSO to read the login status for linux systems. Now that we're enabling Enterprise WLAN, I want all systems to use Radius authentication for wireless network access. All mobile device users should use their Domain credentials to gain wireless access and internet access should be based on their existing Group mappings(some users can only browse, but not permitted to ping!!!) My understanding is if we use RSSO, Fortigate interface be overloaded with all those radius accounting traffic eventhough the user don't have internet permission. Is there a better way to achieve the result without overloading Fortigate  ?.

Thanks,

eby

Bromont_FTNT
Staff
Bromont_FTNT
Staff
March 3, 2016

You could try machine authentication which will get every domain member PC connected to the network via wireless when they boot up.... then internet access will be granted based on FSSO when each user logs in.

Terms & ConditionsCookie settingsAccessibility statement