Skip to main content
tyua
tyua
New Member
August 12, 2016
Solved

SSO RADIUS

  • August 12, 2016
  • 1 reply
  • 13862 views

I have WiFi controller HP, wireless users are identified by the RADIUS server (Windows NPS). I want to see these WiFi users on FortiGate, is this possible?

Thank you!

    Best answer by xsilver_FTNT

    not truly for FortiAPs, basically RADIUS server is the one who should send RADIUS Accounting-Requests (type Start and Stop especially), and FortiGate/FortiAuthenticator or standalone FSSO Collector can build SSO records based on received data.

     

    So user access WiFi, WLC auth user through RADIUS server, which sends Accounting Start to FortiGate, which builds (R)SSO user record (sometimes called end-point-database), and based on received AVP is user bonded to rsso type of firewall user group. Such group can then be used in IBP (identity based policy) to restrict/auth/log traffic/access to protected resources.

     

    Any RADIUS server compliant to standards and capable of sending standard Accounting data to configured recepients can be used. Access this way authenticated can originat form any source like WiFi (through WLC auth mechanisms), or port based authentication on switches/routers/other-firewalls .. almost limitless and working as those sources authenticate on RADIUS server.

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    August 12, 2016

    Hi Tyua,

    yes, seems to be possible and it looks like this might help you:

    http://cookbook.fortinet.com/rsso-wifi-access-control/

    Best regards,

    Tomas

    tyua
    tyuaAuthor
    New Member
    August 12, 2016

    xsilver wrote:

    yes, seems to be possible and it looks like this might help you:

    http://cookbook.fortinet.com/rsso-wifi-access-control/

     

    I think it is only for FortiAP. 

    But I have the HP MSM760 Access Controller.

    xsilver_FTNT
    Staff
    xsilver_FTNTAnswer
    Staff
    August 12, 2016

    not truly for FortiAPs, basically RADIUS server is the one who should send RADIUS Accounting-Requests (type Start and Stop especially), and FortiGate/FortiAuthenticator or standalone FSSO Collector can build SSO records based on received data.

     

    So user access WiFi, WLC auth user through RADIUS server, which sends Accounting Start to FortiGate, which builds (R)SSO user record (sometimes called end-point-database), and based on received AVP is user bonded to rsso type of firewall user group. Such group can then be used in IBP (identity based policy) to restrict/auth/log traffic/access to protected resources.

     

    Any RADIUS server compliant to standards and capable of sending standard Accounting data to configured recepients can be used. Access this way authenticated can originat form any source like WiFi (through WLC auth mechanisms), or port based authentication on switches/routers/other-firewalls .. almost limitless and working as those sources authenticate on RADIUS server.

    Terms & ConditionsAccessibility statement