FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
adebeer_FTNT
Staff
Staff
Description
This article provides an example of how to configure RSSO for FortiOS 5.2. RSSO configuration has changed in this version of firmware.

Solution
1) Configure the interface on which the Radius accounting message will be received:

edit "MOB-MTN-Int"
set vdom "MOB-MTN"
set ip 196.33.141.228 255.255.255.248
set allowaccess ping radius-acct capwap
set snmp-index 20
set interface "port2"
set vlanid 289
next

2) Configure the RADIUS server. If the device has VDOMS enabled there has to be a Radius server per VDOM:

config user radius
edit "DynProMTN"
set rsso enable
set rsso-radius-response enable
set rsso-validate-request-secret enable
set rsso-secret ENC 2ll8YtWsZtIxsEsoLEtH9xXOIELfKgaTT3rlSiPyEPlEHW3cY
//IxZWUC7F5apNXi9ra6H3NtoTf4lmQA1u//99US+EA64lFRRf+QpVkCd9gHJm+Y6lz/
EdqjI2MpdjdN8XbK4Lr4xXWuizWkzDipnfYNeRW9ETQjbqAU32UzUs+Mm7kF3GDYiN2qFGIgoP+Fq82Ow==
set rsso-endpoint-attribute Login-LAT-Node
set sso-attribute-key "profile"
set rsso-flush-ip-session enable
next
end

3) Configure the webfilter profiles. A profile per profile group that will be applied depending on the profile-key that was send with the Radius accounting message:

config webfilter profile
edit "default"

------SNIP
edit "CP"
set comment "Default corporate policy for dynamic filter"
set inspection-mode flow-based
config override
set ovrd-user-group ""
end
config ftgd-wf
set category 59
set action block
next
set log-all-url enable
next

----SNIP
edit "RO"
set inspection-mode flow-based
config override
set ovrd-user-group ""
end
config ftgd-wf
unset options
set category-override g01 g02 g04 g05 g06 g07 g21 143 142 141 14 143 142 141 140
set exempt-quota 140
config filters

-----SNIP
edit "Corporate_URL_Filter"
set inspection-mode flow-based
config override
set ovrd-user-group ""
end
config ftgd-wf
set options http-err-detail rate-server-ip redir-block
set category-override 143 142 141 140
_____SNIP
edit "Log_Only"
set inspection-mode flow-based
config override
set ovrd-user-group ""
end
config ftgd-wf
set options http-err-detail rate-server-ip redir-block
set category-override g01 g02 g04 g05 g06 g07 g21 143 142 141 14
___SNIP

4) Config firewall profile-protocol-options:

Config firewall profile-protocol-options
edit "Mobile-Url-Filtering"
___SNIP
edit "Corportae_Url_Filter"
config http
set ports 80
------SNIP
edit "Logging-Only"
-----SNIP
edit "default"

5) Configure the profile GROUP- this group name corresponds to the profile that will be received from the Radius Accouting message:

config firewall profile-group
edit "Mobile-Url-Filtering"
set profile-protocol-options "Mobile-Url-Filtering"
set ssl-ssh-profile "Mobile-Url-Filtering"
next
ssl-ssh-profile "Logging-Only"
next
edit "CP"
set webfilter-profile "CP"
set profile-protocol-options "default"
set ssl-ssh-profile "_CP_5_default_"
next
edit "default"
set webfilter-profile "default"
set profile-protocol-options "default"
next
edit "RO"
set webfilter-profile "RO"
set profile-protocol-options "default"
set ssl-ssh-profile "_RO_6_default_"
next

6) Configure the Firewall polices for each of the defined groups:

Config firewall policy
edit 9
set srcintf "MOB-MTN-Int"
set dstintf "MOB-MTN-EXT"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set rsso enable
set groups "CP"
set profile-type group
set profile-group "CP"
next
edit 24
set srcintf "MOB-MTN-Int"
set dstintf "MOB-MTN-EXT"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set rsso enable
set groups "RO"
set profile-type group
set profile-group "RO"
next
edit 34
set srcintf "MOB-MTN-Int"
set dstintf "MOB-MTN-EXT"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set rsso enable
set groups "default" "Default"
set profile-type group
set profile-group "default"
next

Contributors