Skip to main content
michael_fischer
michael_fischer
New Member
February 22, 2021
Question

RSSO Logging

  • February 22, 2021
  • 1 reply
  • 1906 views

Hi!

Firmware version of our Fortigate is FortiGate-100F v6.4.4,build5540,201210 (GA)

 

I have configured the RSSO Agent like this:

config user radius
    edit "RSSO Agent"
        set interface-select-method specify
        set interface "port12"
        set rsso enable
        set rsso-radius-response enable
        set rsso-validate-request-secret enable
        set rsso-secret ENC ******==
        set rsso-endpoint-attribute User-Name
    next
end

 

To enable logging I try to do the following:

 
fortinet-01 # config user radius
 
fortinet-01 (radius) # edit "RSSO Agent"
 
fortinet-01 (RSSO Agent) # set rsso-log-period 0
 
fortinet-01 (RSSO Agent) # set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other
 
fortinet-01 (RSSO Agent) # end
 
fortinet-01 #
 
When checking, nothing has been entered:
 
fortinet-01 # show user radius 
config user radius
 edit "RSSO Agent"
 set interface-select-method specify
 set interface "port12"
 set rsso enable
 set rsso-radius-response enable
 set rsso-validate-request-secret enable
 set rsso-secret ENC *********==
 set rsso-endpoint-attribute User-Name
 next
end
 
What am I doing wrong?
 
Thanks, Mike
    1 reply
    nilmoe
    nilmoe
    Visitor III
    September 22, 2022
    Hi Mike,
     
    my answer probably comes a bit late, but I will answer it anyways, as I stumbled across this by myself.

    The default configuration in the RSSO Agent under "config user radius" already contains the commands you tried to set:

    Your commands:
    "fortinet-01 (RSSO Agent) # set rsso-log-period 0
    fortinet-01 (RSSO Agent) # set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other"
     
     
    Output from "show full-config" right after enabling rsso:
    Testlab (rsso_1) # sho full-configuration 
    config user radius
    edit "rsso_1"
    set timeout 5
    set radius-coa disable
    set h3c-compatibility disable
    set username-case-sensitive disable
    unset group-override-attr-type
    set password-renewal enable
    set password-encoding auto
    set acct-all-servers disable
    set switch-controller-acct-fast-framedip-detect 2
    set interface-select-method auto
    unset switch-controller-service-type
    set rsso enable
    set rsso-radius-server-port 1813
    set rsso-radius-response disable
    set rsso-validate-request-secret disable
    set rsso-secret ENC ATFt82NnebUQaE+PMHODxsjdGPSNL7LOkkuAD2o6VDB92QsS2QHSmfwEZpXE6j0Ctn+ja1fQvroHHMu78b+KGGWuOjqLPJPryoLQ7Hlom95IOXfTEOLzbvYDDpLzbvDh9k97dH7kg1ufwv7JM3qF3OYqjD/LVNyB4QjpTY8YAy21+PsraCURXiJyNN7kFje1njbMZw==
    set rsso-endpoint-attribute Calling-Station-Id
    unset rsso-endpoint-block-attribute
    set sso-attribute Class
    set sso-attribute-key ''
    set sso-attribute-value-override enable
    set rsso-context-timeout 28800
    set rsso-log-period 0
    set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other
    set rsso-flush-ip-session disable
    set rsso-ep-one-ip-only disable
    next
    end
     
    So logging should be enabled by default.
     
    Hope this helps!
     
    Regards
    Nils
    
        
                                                
    
        
    
    
    

            
    
                                        
    
            
                        
    
                                                                                                            
            
    

    

    

        
    
                    
    
    
    
    

    

    
    
    

                                        
    
                                                        
    
            
        
    
    

    

    

                                    
    Terms & ConditionsAccessibility statement