Skip to main content
Fabio
Fabio
Explorer III
September 16, 2022
Solved

WiFi with WSSO using Windows NPS and user groups

  • September 16, 2022
  • 5 replies
  • 4650 views

Hello Guys,

I deployed two SSID in  WPA2 Enterprise architecture with authentication on Windows Radius ( NPS ) as the link below and everything works ( https://docs.fortinet.com/document/fortiap/6.4.0/fortiwifi-and-fortiap-cookbook/414919/wifi-with-wsso-using-windows-nps-and-user-groups )

To differentiate groups on Windows AD I followed this guide ( https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/710485/restricting-radius-user-groups-to-match-selective-users-on-the-radius-server )

Radius wifi user 2.jpg


The FW sees the connected users as Wifi Single-Sign On  Radius wifi user 1.jpg


is it possible to group some account in different firewall policies ?

I have tried creating Radius type users on the FGT but it does not work.

Do you know if there is a way?

 

 

Thank you very much

 

Best answer by pminarik

(sorry about the late reply)

Not exactly.

With WSSO, the matched string sent from NPS is compared to the name of the group in your FortiGate (what you have in "RADIUS_WiFi_???"), and the group must be completely empty in the config. (no reference to any RADIUS server)

 

WSSO does not use the "Remote server" + "group name" options.

 

WSSO group matching logicWSSO group matching logic

 

5 replies

pminarik
Staff
pminarik
Staff
September 16, 2022

Hi Fabio,

 

Can you please clarify what you mean by "grouping accounts"? I'm not too sure what you mean by that. An example of what you're trying to achieve would help.

 

As for targetting individual users (re: "I have tried creating Radius type users"), please note that WSSO-style authentication only works with groups. It is not possible for it to target individual users. (unless you specifically create "personal groups" for users and advertise those in the Fortinet-Group-Name VSA sent by the NPS)

Fabio
FabioAuthor
Explorer III
September 16, 2022

Hi pminarik,

In the group that I entered for authentication under the SSID and which calls up through the Fortinet-Group-Name VSA parameter the specific group in Windows Ad, there are all the accounts in the company, both managers and workers.
I would like to treat the two groups under different firewall policy in order to assign them specific permissions.

I didn't know it only works with groups, okay, but what kind of type group should it be ? Radius, ldap, local.. Should I indicate the path where the Group is located in the Active Directory ? 

Radius wifi user 3.jpg

pminarik
Staff
pminarik
Staff
September 16, 2022

Hi Fabio,

WSSO groups are handled in an unusual way - you simply need an empty firewall-type group which does not link to or reference anything. The matching will be done purely based on the exact name of the group (must match the Fortinet-Group-Name string received).

 

Here's an old but good article which describes it - https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/640488/wifi-with-wsso-using-windows-nps-and-attributes

The group creation in FortiOS is described in step 5.

Fabio
FabioAuthor
Explorer III
September 16, 2022

Maybe I understand.

I have to create two group that mapping two group in Windows AD tagged with VSA parameter ad hoc and this two fortinet group empty in two different firewall policy . Is it correct ?

Like this but X 2

Radius wifi user 2.jpg

Radius wifi user 4.jpg

where the tag NTL match the same in the FW group; one for Manager and another for WORK .

Both inside the SSID and then in the policy

pminarik
Staff
pminarikAnswer
Staff
September 20, 2022

(sorry about the late reply)

Not exactly.

With WSSO, the matched string sent from NPS is compared to the name of the group in your FortiGate (what you have in "RADIUS_WiFi_???"), and the group must be completely empty in the config. (no reference to any RADIUS server)

 

WSSO does not use the "Remote server" + "group name" options.

 

WSSO group matching logicWSSO group matching logic

 

    Fabio
    FabioAuthor
    Explorer III
    September 20, 2022

    YES WORKS :)

    in the SSID only the RADIUS and in the User Groups only the name that match the VSA parameter in Windows NPS, as the guide ..

    ( Here's an old but good article which describes it - https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/640488/wifi-with-wsso-using-windows-nps-...

    The group creation in FortiOS is described in step 5. )

    Of course in the NPS you have to create two or more Network Policy to match the Groups you want set in differents Firewall policy in FGT.

     

    Thank you so Much

     

    Fabio

    Fabio
    FabioAuthor
    Explorer III
    September 20, 2022

    Radius wifi user 5.jpgthis is the two user in different groups in windows AD

    Terms & ConditionsAccessibility statement