Skip to main content
jamacouve
jamacouve
New Member
August 29, 2017
Question

How to set this up correctly. Fortigate, NPS and Cisco Wireless

  • August 29, 2017
  • 1 reply
  • 17634 views

Hi Guys,

 

So the above are the devices I need to set up. This was working before but some changes were made and I can't seem to get it right.

 

So the wireless device speaks to the Cisco AP who then speaks to the Cisco WLC. He has 802.1X configured and speaks to NPS to authenticate the user. This is working perfectly and the user can connect.

 

Now the part that I am struggling with... How do I set up RSSO on the Fortigate so I can see the users on the logs? I have tried doing some googling but alot of what I find is relating to FortiAP's and RSSO and its a bit different.

 

Any help will be greatly appreciated.

    1 reply

    bandersen_FTNT
    Staff
    bandersen_FTNT
    Staff
    August 29, 2017

    Hi

     

    in short:

    At the NPS you need to enable radius accounting to be sent to the FGT

    Also on NPS you need to add attribute of Class as this value is used by FGT to map users into RSSO groups

    Then enable radius-accounting listens on the FGT interface

    At FGT user & device:

    Create the RSSO single sign on, create the RSSO agent

    Create the user group definition to be RSSO group

    Edit you radius settings in CLI from FGT

    1.

    fw (RSSO Agent) # set rsso-endpoint-attribute User-Name

     

    Sorry, was a very version, let me know if this point into the right direction?

     

    /Brian

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    August 29, 2017

    in short follow the cookbook http://cookbook.fortinet.com/rsso-wifi-access-control/

    and from step "5. Configure the RADIUS server" on, set NPS to allow your AP (instead of FortiAP) to authenticate towards AD (probably done) and also send RADIUS accounting to FortiGate unit, whenever user authenticate via the policy.

    In step 8 and section "Select RADIUS Attributes" pay attention to the AVP sent from NPS to FortiGate with user group membership. As this AVP (by default 'Class' but configurable as CLI 'rsso-attribute') has to match to FortiGate's rsso-attribute, and it's value has to match to the FortiGate's group config of 'RADIUS Attribute Value' (CLI user group <X> / sso-attribute-value).

    Terms & ConditionsAccessibility statement