Technical Tip: Case sensitivity in Radius single sign-on (RSSO) authentication on FortiGate

RSSO authentication on FortiGate is always case sensitive and the behavior cannot be changed on FortiGate.

Below is an example with details information using the debugging output:

Configure an RSSO:

config user radius

edit "rsso"

set rsso enable
set rsso-radius-response enable
set rsso-validate-request-secret enable
set rsso-secret ENC 2wDJVr/ylfTJtXn/0tEWrUGQmJKlrHLM90+X2wAKesvPiRF0WD6C25Qkcyo8erVKz8qtSnfY03vDuOPfxhEGBL6f14WLhOcDRcX+BrgAlqdofN2+MAiX9va+i0+uz5Y6anXIixyUdaErkB7XDhNe3rHUPF4JstEAZY6MlN5IDojQlzTNa8d0mPFDEhcaRVNo0/R2JQ==
set rsso-endpoint-attribute User-Name

next

end

Configure a different RSSO group with different RSSO attribute values 'aaaa' and 'AAAA':

config user group

edit "rsso.group.1"

set group-type rsso
set sso-attribute-value "aaaa"

next

edit "rsso.group.2"

set group-type rsso
set sso-attribute-value "AAAA"

next

end

Configure two different firewall policies for each radius group created above:

config firewall policy

edit 4

set name "out-1"
set uuid a4ad7b96-c739-51ee-fcff-e5c5ee8166da
set srcintf "port9"
set dstintf "wan1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
set groups "rsso.group.1"

next
edit 9

set name "test"
set uuid 1f1b0210-ca76-51ee-2e57-d8ec569e8ecf
set srcintf "port9"
set dstintf "wan1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
set groups "rsso.group.2"

next

end

Enable radiusd debugging via the CLI to see the authentication result:

di de dis
di de reset
di de cons time en
di de app radiusd -1
di de en

Generate and send a radius start accounting message with class 'aaaa' to FortiGate.

In this example, the new first radius accounting message with class 'aaaa' was received for source IP 10.129.3.148 for username shah@fortiserver.com:

2024-02-13 14:58:07 Received radius accounting event
2024-02-13 14:58:07 vd 0:root Add/Update auth logon for IP 10.129.3.148 for user shah@fortiserver.com
2024-02-13 14:58:07 DB 0 insert [ep='shah@fortiserver.com' pg='aaaa' ip='10.129.3.148/32'] success
2024-02-13 14:58:07 Send accounting response

Hub # di test application radiusd 3
2024-02-13 14:58:38 RADIUS server database [vd root]:
2024-02-13 14:58:38 "index","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
2024-02-13 14:58:38 1,07:59:29,"10.129.3.148""shah@fortiserver.com","allow","no log","aaaa",1,No
2024-02-13 14:58:38

The user matches both groups above since 'AAAA' is the same as 'aaaa' on FortiGate:

di firewall auth list

10.129.3.148, shah@fortiserver.com
type: rsso, id: 0, duration: 13, idled: 3
flag(10): radius
server: root
packets: in 0 out 5, bytes: in 0 out 310
group_id: 3 2
group_name: rsso.group.2 rsso.group.1

----- 1 listed, 0 filtered ------

Filter the session entry based on source IP and ping traffic:

di sys session filter cl
di sys session filter src 10.125.3.148
di sys session filter proto 1
di sys session list
total session 0 <- There is no session entry for ping traffic.

The ping traffic to destination IP 4.2.2.2 is generated, and the user traffic hits Firewall policy ID 4 (Upper policy):

di sys session list

session info: proto=1 proto_state=00 duration=8 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=shah@fortiserver.com auth_server=root state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=540/9/1 reply=540/9/1 tuples=2
tx speed(Bps/kbps): 62/0 rx speed(Bps/kbps): 62/0
orgin->sink: org pre->post, reply pre->post dev=5->17/17->5 gwy=10.109.31.254/10.129.3.148
hook=post dir=org act=snat 10.129.3.148:1->4.2.2.2:8(10.109.17.69:60418)
hook=pre dir=reply act=dnat 4.2.2.2:60418->10.109.17.69:0(10.129.3.148:1)
misc=0 policy_id=4 pol_uuid_idx=554 auth_info=2 chk_client_info=0 vd=0
serial=004933db tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x040000
no_ofld_reason: non-npu-intf
total session 1

Generate and send the second radius start accounting message with class 'AAAA' that was received for the same source IP 10.129.3.148 for the same username shah@fortiserver.com. The previous RSSO user was overwritten with the new radius accounting packet with class 'AAAA':

2024-02-13 14:59:15 Received radius accounting event
2024-02-13 14:59:15 DB 0 insert [ep='shah@fortiserver.com' pg='AAAA' ip='10.129.3.148/32'] success
2024-02-13 14:59:15 Send accounting response

di test application radiusd 3
2024-02-13 14:59:23 RADIUS server database [vd root]:
2024-02-13 14:59:23 "index","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
2024-02-13 14:59:23 1,07:59:52,"10.129.3.148""shah@fortiserver.com","allow","no log","AAAA",1,No
2024-02-13 14:59:23

di firewall auth list

10.129.3.148, shah@fortiserver.com
type: rsso, id: 0, duration: 72, idled: 0
flag(10): radius
server: root
packets: in 38 out 75, bytes: in 2280 out 5076
group_id: 3 2
group_name: rsso.group.2 rsso.group.1 <- The user matches both of the above groups since 'AAAA' is the same as 'aaaa' on FortiGate.

----- 1 listed, 0 filtered ------

Ping traffic is generated to the destination IP 8.8.4.4 as well. Both the old (4.2.2.2) and new user traffic (8.8.4.4) still hit the upper firewall policy ID 4:

di sys session list

session info: proto=1 proto_state=00 duration=7 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=shah@fortiserver.com auth_server=root state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=480/8/1 reply=480/8/1 tuples=2
tx speed(Bps/kbps): 66/0 rx speed(Bps/kbps): 66/0
orgin->sink: org pre->post, reply pre->post dev=5->17/17->5 gwy=10.109.31.254/10.129.3.148
hook=post dir=org act=snat 10.129.3.148:1->8.8.4.4:8(10.109.17.69:60418)
hook=pre dir=reply act=dnat 8.8.4.4:60418->10.109.17.69:0(10.129.3.148:1)
misc=0 policy_id=4 pol_uuid_idx=554 auth_info=2 chk_client_info=0 vd=0
serial=00493662 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x040000
no_ofld_reason: non-npu-intf

session info: proto=1 proto_state=00 duration=63 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=shah@fortiserver.com auth_server=root state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=3780/63/1 reply=3780/63/1 tuples=2
tx speed(Bps/kbps): 58/0 rx speed(Bps/kbps): 58/0
orgin->sink: org pre->post, reply pre->post dev=5->17/17->5 gwy=10.109.31.254/10.129.3.148
hook=post dir=org act=snat 10.129.3.148:1->4.2.2.2:8(10.109.17.69:60418)
hook=pre dir=reply act=dnat 4.2.2.2:60418->10.109.17.69:0(10.129.3.148:1)
misc=0 policy_id=4 pol_uuid_idx=554 auth_info=2 chk_client_info=0 vd=0
serial=004933db tos=ff/ff app_list=0 app=0 url_cat=0 <- The session ID is the same after a class attribute was changed.
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x040000
no_ofld_reason: non-npu-intf
total session 2

Related documents:

• Technical Tip: Username case sensitivity implementation with Firewall authentication.
• SSL VPN for remote users with MFA and user case sensitivity - FortiGate administration guide.
• Technical Tip: Local user, username case sensitivity and accent sensitivity.