Skip to main content
fikrioaky
fikrioaky
New Member
November 24, 2017
Question

RSSO on FortiGate 201E and FortiAP 221C

  • November 24, 2017
  • 1 reply
  • 2696 views

Hello everyone,

 

I have problem with rsso, if i connect to SSID with wpa2-enterprise RSSO, user can't connect to the SSID. if i see the document in the configuration i found rsso-endpoint-attribute. rsso-endpoint-attribute is AP vendor’s specific documentation for RADIUS accounting packets. i see log on nps error 22. I dont know about the attribute. Now firmware on fortigate v5.4.6 and  FortiAP 5.4, Please Advice.

Im sorry if my english so bad.

 

Thanks,

Fikri

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    November 27, 2017

    Hi Fikri,

     

    RADIUS authentication through WPA2-Enterprise protected SSID has nothing to do with RSSO.

    RSSO is RADIUS accounting based Single Sign-On (SSO).

    Ergo you have to authenticate to SSID first. And when you successfully authenticate through some RADIUS service/server to the Wireless Controller (WLC), then the WLC or RADIUS server can send RADIUS Accounting packets to some target like your FortiGate, notifying firewall that there is authenticated user. And RSSO settings will be used on FortiGate to process accounting and create SSO record. Which might be then, through group membership, used in some identity-based policy.

     

    WPA2-Enterprise + RADIUS server = Authentication

    RSSO = Authorization (of traffic with knowledge about already Authenticated user)

     

    RADIUS traffic packet capture (port 1812 or 1813), config review, 'fnbamd 7' and  'radiusd -1' application debug should help.

     

    Best regards,

    Tomas

    Terms & ConditionsAccessibility statement