In this example, Windows Server is used as a RADIUS server for authenticating VPN clients. FSSO is set for Radius accounting which then allows FortiGate to get group and IP information.

Pre-Requisites:

• Any FortiGate running v7.0 and above.
• Windows Server as Radius server and has ADDS role installed.
• Windows Server with FSSO CA.
• Forticlient on Windows/mac for connecting to FortiGate IPsec Tunnel.

Configuration on FortiGate:

1. Set up the Radius server: 

config user radius

    edit "LAB-RAD"

        set server "10.21.1.100"

        set secret password

        set acct-interim-interval 600

        config accounting-server

            edit 1

                set status enable

                set server "10.21.1.100"

                set secret password

                set port 1988

            next

        end

    next

end 

2. Configure Tunnel:

config vpn ipsec phase1-interface

    edit "FSSO"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set peertype any

        set net-device disable

        set mode-cfg enable

        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

        set comments "VPN: FSSO -- Created by VPN wizard"

        set eap enable

        set eap-identity send-request

        set wizard-type dialup-forticlient

        set ems-sn-check enable <-- If using free Forticlient, Make sure to disable this.

        set transport auto

        set ipv4-start-ip 10.10.90.1

        set ipv4-end-ip 10.10.90.10

        set dns-mode auto

        set ipv4-split-include "FSSO_split"

        set save-password enable

        set psksecret password

    next

end

config vpn ipsec phase2-interface

    edit "FSSO"

        set phase1name "FSSO"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set comments "VPN: FSSO -- Created by VPN wizard"

    next

end

3. Firewall policy 3 will be used for authenticating VPN clients and policy 4 will be used to access resources, Note the group info on each:

config firewall policy

    edit 3

        set name "vpn_FSSO_remote" <----- Dummy Policy for authentication only.

        set uuid b3ca4f9a-e133-51ef-1fec-94324c908328

        set srcintf "FSSO"

        set dstintf "port3"

        set action accept

        set srcaddr "FSSO_range"

        set dstaddr "none" <----- DST can be none.

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set groups "VPN-Users" <----- Groups used for authentication.

        set comments "VPN: FSSO -- Created by VPN wizard"

    next

    edit 4

        set name "VPN-LAN-ADMIN"

        set uuid 181d1270-e1b6-51ef-c831-d6b5173ce53b

        set srcintf "FSSO"

        set dstintf "port3" "port4"

        set action accept

        set srcaddr "FSSO_range"

        set dstaddr "port3 address" "port4 address"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set fsso-groups "LABSRVDC/VPN_ITADMIN" <----- FSSO groups allowed for access.

    next

end

4. Create a user group for the Radius server: 

config user group

    edit "VPN-Users"

        set member "LAB-RAD"

    next

end

5. FSSO Config:

config user fsso

    edit "LAB-DC01"

        set server "10.21.1.100"

        set password password

    next

end

6. FSSO on Windows Config:

Note:

Port 1988 is being used here, the Default is 1813. Since the setup is using the same server for Radius and FSSO and by default Radius uses 1812,1813,1645 and 1646. To avoid conflict use any other ports and make sure they are set as same on the FortiGate radius accounting config.

Set group filters if necessary:

On FortiGate  notice there are now only 2 groups collector agent is sending info for:

7. On AD Server:

• User Name: John Doe.
• Groups: VPN-Users and VPN_ITADMIN
• Radius will only accept connections if a user is part of the VPN-users group.

8. Initiate a connection now from FortiClient:

9. After successfully connecting to the VPN:

LABVM01 # dia vpn ike gateway list

vd: root/0

name: FSSO_0

version: 2

interface: port1 3

addr: 10.21.4.154:500 -> 10.119.200.39:500

tun_id: 10.10.90.1/::10.0.0.3

remote_location: 0.0.0.0

network-id: 0

transport: UDP

created: 184s ago

eap-user: jdoe

2FA: no

groups:

  VPN-Users 2

peer-id: 10.119.200.39

peer-id-auth: no

FortiClient UID: EE8DB044C2DE74D05949C57BC7E4A878C

assigned IPv4 address: 10.10.90.1/255.255.255.255

pending-queue: 0

PPK: no

IKE SA: created 1/1  established 1/1  time 40/40/40 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

LABVM01 # dia firewall auth list

10.10.90.1, JDOE

        type: fsso, id: 0, duration: 10, idled: 10

        server: LAB-DC01

        packets: in 0 out 0, bytes: in 0 out 0

        group_id: 33554435 33554434

        group_name: LABSRVDC/VPN-USERS LABSRVDC/VPN_ITADMIN

10.10.90.1, jdoe

        type: fw, id: 0, duration: 11, idled: 11

        server: LAB-RAD

        packets: in 0 out 1, bytes: in 0 out 62

        group_id: 2

        group_name: VPN-Users

----- 2 listed, 0 filtered ------ 

The output above shows that FortiGate learned the group info for VPN-Users from VPN authentication and also learned LABSRVDC/VPN-USERS LABSRVDC/VPN_ITADMIN through the collector agent (Radius accounting). Note the type of authentication is different for both outputs.

This information can also be seen the on FSSO agent:

FortiGate will also have user events as below:

date=2025-02-02 time=16:26:59 eventtime=1738542418992675738 tz="-0800" logid="0102043039" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication logon" srcip=10.10.90.1 user="JDOE" authserver="LAB-DC01" action="auth-logon" status="logon" msg="User JDOE added to auth logon"

date=2025-02-02 time=16:26:59 eventtime=1738542418992400224 tz="-0800" logid="0102043014" type="event" subtype="user" level="notice" vd="root" logdesc="FSSO logon authentication status" srcip=10.10.90.1 user="JDOE" server="LAB-DC01" action="FSSO-logon" msg="FSSO-logon event from LAB-DC01: user JDOE logged on 10.10.90.1"

date=2025-02-02 time=16:26:58 eventtime=1738542418014461220 tz="-0800" logid="0102043039" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication logon" srcip=10.10.90.1 user="jdoe" authserver="LAB-RAD" action="auth-logon" status="logon" msg="User jdoe added to auth logon"

For details on how to set up Ikev2 with a Windows radius server, refer to the articles below:

Technical Tip: IKEv2 Dialup IPsec tunnel with Radius and FortiToken MFA

Technical Tip: IKEv2 dialup IPsec tunnel with Radius server authentication and FortiClient

For details on how to set up FSSO, refer to the documents below:

Fortinet single sign-on agent

For details on how to get FSSO groups using Syslog from FSSO-CA, refer to the article below: