Skip to main content
Freak-On-Silicon
Freak-On-Silicon
Explorer
February 20, 2024
Question

FSSO Windows NPS

  • February 20, 2024
  • 2 replies
  • 3809 views

Hi;

 

I have the same problem as:

https://community.fortinet.com/t5/Support-Forum/FSSO-cannot-read-Windows-NPS-user-logins/m-p/63413/thread-id/63323/highlight/true

 

I have an Windows AD Environment with two DCs (Server 2016). and and Windows Radius Server NPS (Server 2019).

Fortigate 100F 7.4.3

 

The Radius is for Wireless Authentication with my Aruba Instant APs. Working fine.

FSSO with the Agents installed works also finde, and i applied and testet some User-based Policies, also working fine.

 

But how do i get the FSSO Agent Collector to collect the data from my Radius?  

 

Best regards
Lukas

2 replies

AEK
SuperUser
AEK
SuperUser
February 20, 2024

Hi Lukas

Do you mean RSSO?

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/513092/configuring-radius-sso-authentication

AEK
    Freak-On-Silicon
    Freak-On-SiliconAuthor
    Explorer
    February 20, 2024

    thanks for your reply.

     

    yes and no.

     

    in the FSSO Collecter Agent at advanced settings, there is "RADIUS Accounting" i thought in this direction.

     

    I had RSSO testet before, didnt work, i will give it another try.

     

    But when i make this with FSSO and RSSO, in my future Policies i have to set alwys both groups, one from FSSO and one from RSSO, am i right?

    AEK
    SuperUser
    AEK
    SuperUser
    February 20, 2024

    I see. Never used it before but I think it is explained here: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso#RADIUS

    Hope it helps.

    AEK
      CNRO
      CNRO
      New Member
      March 2, 2026

      OK, maybe I know what you need, I did this to authenticate my UNIFI clients that login via Radius.

      1. On the FFSO Colletor Agent Advanced Settings > Radius Accounting TAB:
        > Enable it
        > Enter a Listen port, Default 1813
        > Create a Shared Secret (you'll need it later, make note)
        > Enter your domain name like "myenterprise.net" 
      2. On the Radius Server, open the NPS:
        > Create a Remote Radius Server Group (Named mine FSSO)
        >Add your AD server (Where your FSSO Agent is) inside the group.
        >In the Authentication/Accounting tab you fill in with your normal Shared Secret from radius and the FSSO agent shared secret on the Accounting field.


      3. On the NPS Policies, at connection request policies
        >On the properties of your policy go to the Settings tab
        >Select Accounting (bellow Authentication), mark "Forward accounting requests to this remote RADIUS server group" and in the dropdown menu select the Group you created on step 1.


      4. I have more policies to filter from witch group the user are, using network policies with vendor specific 12356, i'll dive more into that if you need.

       

      Hope this help you.

      Freak-On-Silicon
      Freak-On-SiliconAuthor
      Explorer
      March 4, 2026

      Thanks for your help.

      But i did exactly this on three differents sites.

      When i look with wireshark on the radius Server (Windows Server 2022).

      There is no activity with port 1813. Only with 1812 to my Aruba Instant VC.

      Terms & ConditionsAccessibility statement