Description
When the user is connected to LAN and is successfully authenticated by Active Directory, DC’s security event log can be polled for logon events and this information is sent to FortiGate to record the IP address, Username and Group information associated to that event. Users may have a static IP or may have DHCP server assigning the IP address.
If this is a laptop, for example, most of the times authentication request are made using the Ethernet interface (default setting).
What happens when the user is disconnected from wired connection? FortiGate does not know the IP address of the wireless interface on this laptop and now the user is no longer authenticated to the firewall.
User may have to sign out and sign back in to make the authentication request via wireless IP.
This is where RSSO comes into picture.
RSSO uses the wireless authentication(802.1x) request from the Radius server authenticating that request via Radius Accounting.
We will discuss more about this in a bit.
Typically, RSSO is solution when third party AP is used but that does not restrict the administrator from using this solution with FortiAP.
Solution
The authentication flow and setup are described in the attached document.