Hi all,I'm trying to get RADIUS accounting packets from a Windows Server NPS (RADIUS) to be forwarded to a Fortinet FSSO Collector, but I'm stuck.Here's my setup:NPS is authenticating 802.1X Wi-Fi logins using PEAP/EAP-MSCHAPv2.Accounting forwarding is enabled in the Connection Request Policy (CRP) – the option “Forward accounting requests to this remote RADIUS server group” is checked.The Remote RADIUS Server Group points to the FSSO Collector (IP: 10.81.0.36, port: 1813, shared secret OK).In the FSSO collector itself, RADIUS accounting is enabled, listens on 1813, and matches the shared secret.Wireshark confirms that UDP packets on port 1813 are never sent.Every time a user authenticates, NPS logs this in Event Viewer with:pgsqlKopírovaťUpraviťLogging Results: Accounting information was written to the local log file.What I’ve tried so far:Recreated the CRP from scratch with minimal conditions (NAS port type only).Made sure CRP is at the top of the policy list and is being hit (confirmed via Event Viewer: Connection Request Policy Name: TEST-FSSO).Verified that the Remote RADIUS Server Group has the collector defined with the correct IP, port, and secret.Checked that the “Forward network access server start and stop notifications to this server” option is enabled in the server properties.Restarted the IAS service and verified every change step-by-step.Still, no accounting packets are being sent to FSSO – NPS always falls back to local log files.I understand that NPS only generates and forwards accounting when the CRP handles authentication on the local server. But in my case, NPS does perform authentication, and I have no proxy or upstream RADIUS involved.Is there something I’m missing? Could global accounting settings or a hidden conflict with log file configuration be causing this fallback behavior?

New Member

Question

NPS RADIUS accounting not forwarding to Fortinet FSSO – always logs to local file instead

Forum|Forum|1 year ago
May 18, 2025
4 replies
1641 views

Hi all,

I'm trying to get RADIUS accounting packets from a Windows Server NPS (RADIUS) to be forwarded to a Fortinet FSSO Collector, but I'm stuck.

Here's my setup:

NPS is authenticating 802.1X Wi-Fi logins using PEAP/EAP-MSCHAPv2.
Accounting forwarding is enabled in the Connection Request Policy (CRP) – the option “Forward accounting requests to this remote RADIUS server group” is checked.
The Remote RADIUS Server Group points to the FSSO Collector (IP: 10.81.0.36, port: 1813, shared secret OK).
In the FSSO collector itself, RADIUS accounting is enabled, listens on 1813, and matches the shared secret.
Wireshark confirms that UDP packets on port 1813 are never sent.
Every time a user authenticates, NPS logs this in Event Viewer with:pgsqlKopírovaťUpraviťLogging Results: Accounting information was written to the local log file.

What I’ve tried so far:

Recreated the CRP from scratch with minimal conditions (NAS port type only).
Made sure CRP is at the top of the policy list and is being hit (confirmed via Event Viewer: Connection Request Policy Name: TEST-FSSO).
Verified that the Remote RADIUS Server Group has the collector defined with the correct IP, port, and secret.
Checked that the “Forward network access server start and stop notifications to this server” option is enabled in the server properties.
Restarted the IAS service and verified every change step-by-step.

Still, no accounting packets are being sent to FSSO – NPS always falls back to local log files.

I understand that NPS only generates and forwards accounting when the CRP handles authentication on the local server. But in my case, NPS does perform authentication, and I have no proxy or upstream RADIUS involved.

Is there something I’m missing? Could global accounting settings or a hidden conflict with log file configuration be causing this fallback behavior?

tbarua

Staff

Hi ,

Have you enabled radius accounting server in FortiGate?

You can check Following KBs for cross check your configuration:

Configure Fortinet Single Sign On (FSSO) ... - Fortinet Community

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-ensure-FortiGate-sends-RADIUS-Accounting/ta-p/203439

Kind regards

Freak-On-Silicon

Explorer

Hi,

Have you managed to get that working?
I have the exact same problem.

KayaAtab

Visitor III

Hi,

Same thing here. NPS is not forwarding accounting logs. I am pretty sure that it is not fortigate issue. I deployed wireshark and run sniffer on gateway. No data flows through UDP 1813. I run portQry on NPS server and see from the sniffer that server can send traffic to UDP 1813. This is definitely related to NPS server or something on the server.

Lucky for me, on this project I am working with microsoft partners with good level of knowledge. If I figure it out, I ll post it here.

Regards,

Kaya

Freak-On-Silicon

Explorer

Yeah same problem here. Would love to here from you.

KayaAtab

Visitor III

Here is the deal. After authentication Make your wireless controller (fortigate itself in my case) push the accounting info back to radius server. Why? because radius does not have IP information that you need. than make the accounting config on NPS. This way Radius will forward accounting info to your FSSO.

I don't know if it made any changes but, I switched my RSSO interface to a loopback instead of management interface. Management interface already is connected to radius server so to track the accounting info i generated a loopback with /32 and enabled accounting on loopback. Also don't forget to write policies for 1812,1813 both ways. Here is my config for radius section.

config user radius
edit "NPS"
set server "RADIUS_IP"
set secret THE_KEY
set source-ip "FIREWALL_MGMT_IP"
config accounting-server
edit 1
set status enable
set server "RADIUS_IP"
set secret THE_KEY
set port 1813
set source-ip "LOOPBACK_IP"
next
end
next
edit "RSSO Agent"
set rsso enable
set rsso-radius-response enable
set rsso-validate-request-secret enable
set rsso-secret THE KEY
next
end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded