Using RSSO usernames in policies

Forum|Forum|5 years ago
May 7, 2021
1 reply
4857 views

Hi everyone,

At the moment I'm trying to get RSSO working, we have MS NPS so no passing groups to the firewall :\ but based on running auth list the fortinet does "know" who the user is connected to an IP address.

firewall-01 # diagnose firewall auth list

x.x.x.x, user@domain.com type: rsso, id: 0, duration: 801, idled: 801 flag(10): radius server: root packets: in 0 out 0, bytes: in 0 out 0

My problem is translating this into something I can use in policies, I tried creating RADIUS users and adding them to policies however this does not work, I tried using an LDAP group containing the same usernames that the fortinet "sees" through RSSO but this also did not work every time I try to generate traffic that would trigger this policy I end up on a fortinet captive portal page where I need to login again.

What am I missing?

Thanks!

Keeper_of_the_KeysAuthor

New Member

Technical detail I left out:

- We're trying this with FortiOS 7 (it's a new location so while the place is in "beta" we can also try stuff)

Keeper_of_the_KeysAuthor

New Member

Bump? No-one here uses RSSO?

Keeper_of_the_KeysAuthor

New Member

Based on the updated docs for 7.0.0 it seems to me that RSSO only allows the creation of "groups" based on the presence of an attribute in the RADIUS accounting package which can then be used in policies while it is not actually possible to directly do anything with the usernames learnt through RSSO.

Given that not all radius servers seem to allow adding properties like group membership to the accounting packages being forwarded this would seem to be a missing feature.

https://docs.fortinet.com...s-single-sign-on-agent

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded