FSSO - Wifi - Radius/NPS Groups Confusion

Question

Hi guys

I have x2 FSSO collector agents installed on 2 DCs (for redundancy) that monitor 5 DCs via DC Agent. This works well and LAN users show up on the Fortigate nicely.

To get Wifi Devices/Users identified on the Fortigate and usernames associated to devices I have done the following

1. On my Unifi AP I have pointed Radius Accounting direct to the firewall with a new psk

2. On the Fortigate I have setup an RSSO Agent in Single Sign-on. I have added the same psk to this

3. I set rsso-endpoint-attribute User-Name on the Fortigate

This works nicely as well. My question is how do I get groups working with this? For example I have multiple AD groups for web filtering. Examples are: proxy_allowall, proxy_allow media, proxy_standard etc - A user can only be a member of 1 group. I want to be able to use these groups to match against web filtering polices. How can I associate RSSO groups with NPS? I get I need to add the class attribute to NPS but how do I handle multiple groups?

Many thanks!

bandersen_FTNT · Accepted Answer

HiA similar setup is here: http://cookbook.fortinet.com/forticonnect-guest-boarding-using-rsso-56/and the usage for this is where our FortiConnect check AD groups and map these into FortiConnect Account Groups, which again maps to RADIUS attribute with corrosponding value.So for NPS it would be similar, where you can use AD Group to create different Network Policies, and then map different Class attribute values./Brian

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded