RSSO - Single Username assigned to all Devices/IPs

Forum|Forum|9 years ago
September 9, 2016
2 replies
6474 views

Hi All

Abit of Weirdness with RSSO in one of my VDOM's. I have a Fortigate 200D where we configured RSSO to recieve Accounting messages from our NPS server (users authenticate to radius through Wireless Controller).

From Config it all appears correct -- compared the config of this VDOM to another I have where I have RSSO working correctly and it looks the same with the exception of the Radius Server Used.

Looking at "User & Device > Monitor > Firewall" I can see the different user entries with Method RSSO, however when i look at the Fortiview Sources all the entries have the same username (which I know is incorrect). refreshing the view the username will change to a different one, but it then applies to all entries again.

Any Suggestions on where to check for problems in my config would be greatly appreciated.

RigAuthor

New Member

Noticed now that when I disable "Device Identification" on my Interfaces no Username is displayed - so enabling this then I get a single username assigned to all devices, but having it disabled no Username is displayed/associated at all.

With the "Device Identification" option Disabled I still do get the correct user entry under "User and Device -> Monitor -> Firewall"

xsilver_FTNT

Staff

Device identification should not interfere AFAIK.

If you are getting multiple IPs authenticated by a single user, then I would suggest to verify rsso enabled radius server and especially mappings like rsso-endpoint-attribute and sso-attribute.

Also compare GUI to 'diag firewall auth list' for those rsso ( | grep rsso), simply to see how firewall see it internally and if it's not an GUI issue (haven't seen it in lab).

RigAuthor

New Member

Hi

Running "diag firewall auth list" I see the entries as below:

192.168.212.63, network\yca13
        type: rsso, id: 0, duration: 145, idled: 7
        group_id: 11
        group_name: networks_rsso_Group

192.168.212.74, NETWORK\NP811
        type: rsso, id: 0, duration: 1572, idled: 1572
        group_id: 11
        group_name: networks_rsso_Group

192.168.212.75, network\km907
        type: rsso, id: 0, duration: 1066, idled: 3
        group_id: 11
        group_name: networks_rsso_Group

192.168.212.86, network\MM408
        type: rsso, id: 0, duration: 1572, idled: 111
        group_id: 11
        group_name: networks_rsso_Group

----- 32 listed, 0 filtered ------

As I am still quite new to Fortigate, how can I confirm if the reported group_id is correct (will the id be relevant)?

I doubt it could be related to GUI, as I have another VDOM on the same Fortigate 200D also making use of RSSO for a different Domain and it is functioning correctly. I have checked settings between the 2 VDOMS related to RSSO and Radius configs and they do look the same (with exceptions like secrets and Radius Server IP). Also checked the Radius server and did a Wireshark to see the Radius Attributes being sent and that also looks correct -- I could however be mistaken. But as mentioned enabling and disabling "Device Identification" on the interface does influences the results.

xsilver_FTNT

Staff

I see different users reported fro different source IPs (first line of each firewall auth record).

Group_id is simply ID of the group "networks_rsso_Group" from your 'config user group'.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded