Skip to main content
daniel_goymer
daniel_goymer
New Member
April 6, 2016
Question

RSSO using NPS

  • April 6, 2016
  • 2 replies
  • 4823 views

Hello

 

I'm trying to setup RSSO using an NPS server. Our Wireless AP's are already working and authenticating successfully. We want to ensure users on the wireless network do not need to authenticate to browse the Internet. (We already use FSSO for domain joined machines).

 

I've setup the accounting settings and verified the Fortigate and NPS server are communicating. The issue I have is with NPS accounting and Classes.

 

Our Network Policy dictates what uses are able to connect to the wireless network, though from what I can tell the Class needs to be sent for the Connection Request Policies. In NPS the Connection Request Policies do not all you to pick user groups.

 

Has anyone successfully used NPS to authenticate different user groups and therefore ensure different user policies are enabled for Internet browsing based on the user group?

 

Is this a limitation of NPS that cannot be overcome and we should therefore use FortiAuthenticator or some other Radius server?

 

Thank you in advance for any help.

 

Regards

Daniel

2 replies

Jeff_FTNT
Staff
Jeff_FTNT
Staff
April 6, 2016

NPS server can not send RADIUS Accounting packet to device which did not send out "Access-Request".For RSSO, you may need find RADIUS server can send Accounting to any device, thanks.

Jim_FH
Jim_FH
New Member
May 12, 2016

Hi Daniel:

 

I'm looking into doing this same thing, I think.  Our NPS servers authenticate (or not) users via a "Network Policy" based on membership of an AD group when asked by our Wireless Controller, which then sends the accounting info to the RSSO agent on the Fortigate with the RADIUS class "unrestricted" (which is how we were directed to configure it by Fortitac).

 

It seems to work fine, but like you, we are restricted to one RSSO fortigate policy, and not able to put different users in different groups for different Web Filtering profiles, etc.

 

I haven't tested yet, but I'm going try creating another "Network Policy" with a different RADIUS class value (other than 'unrestricted'), and then create another RSSO single-sign on users that references that other RADIUS class, and see where that gets me.

 

Not really an answer to your question, but maybe you've tried this and have some tips.

 

-James

Terms & ConditionsAccessibility statement