Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nprakash
Staff
Staff

Created on ‎12-02-2021 01:48 PM Edited on ‎09-11-2024 04:03 AM By Community Manager

Article Id 200187

Technical Tip: Configuring Radius Single Sign-On using NPS 2019

Description

 

This article describes when the user is connected to LAN and is successfully authenticated by Active Directory, DC’s security event log can be polled for logon events and this information is sent to Fortigate to record the IP address, Username and Group information associated with that event. Users may have a static IP or may have a DHCP server assigning the IP address. If this is a laptop, for example, most of the time authentication requests are made using the Ethernet interface (default setting). What happens when the user is disconnected from a wired connection? Fortigate does not know the IP address of the wireless interface on this laptop and now the user is no longer authenticated to the firewall. Users may have to sign out and sign back in to make the authentication request via wireless IP.

 

This is where RSSO comes into the picture. RSSO uses the wireless authentication(802.1x) request from the Radius server authenticating that request via Radius Accounting. We will discuss more this in a bit. Typically, RSSO is the solution when third party AP is used but that does not restrict the administrator from using this solution with FortiAP.

 

AUTHENTICATION FLOW:


When third-party AP is deployed:

 

nprakash_1-1638475386163.png

 

The configuration components we will be working on are shown below:

  1. RSSO Accounting Listener which listens on port 1813 for accounting packets.
  2. Radius Accounting and Fortigate Radius Server.
  3. Configuring RSSO user group.
  4. Configuring WiFi SSID.
  5. Configuring NPS (Windows server 2019) for authentication and authorization.

 

RSSO Accounting Listener listens on port 1813 for accounting packets

  1. Login to the Fortigate and select Security Fabric > Fabric Connectors > Create New and select 'Radius Single Sign-On Agent'.
  2. Enable 'Use RADIUS Shared Secret' and provide the Shared Secret configured in the NPS.
  3. Enable 'Send RADIUS Responses' and select OK.

 

nprakash_2-1638475445543.png

 

  1. Connect to the CLI and add the above show configuration to the 'RSSO Agent. The FortiAP uses the attribute 'User-Name' to denote the user. Refer to other vendors’ documentation for the corresponding attributes for this field in their accounting packets.
    'rsso-context-timeout' can be used to clear authentication after ‘x’ number of seconds (when set to 0, it never times out)

 

Radius Accounting and Fortigate Radius Server

  1. Create a Radius Server on the FortiGate and enable 'Radius Accounting' on the interface connecting to the NPS.

 

nprakash_3-1638475585571.png

 

  1. From the CLI, add the above show configuration to send accounting packets for any connection that uses this server.
  2. Accounting packets will now be sent to port 1813 of the radius server.


Configuring RSSO user group

  1. From User & Device > User Group, select Create New.
  2. Provide the name for the group and select 'Radius Single Sign-On(RSSO)'.
    3. Enter the 'Radius Attribute Value' for this group. This is the value that the NPS should send to Foritgate (sent in HEX) and FortiGate will use this value to map the correct group and identity policy.

 

nprakash_4-1638475626120.png

 

Configuring WiFi SSID:

  1. Select WiFi & Switch Controller -> SSID and select Create New SSID.
  2. Provide a name for the interface, IP/Netmask and enable DHCP Server.
  3. Enter the name for the SSID and select 'WPA2 Enterprise'.
  4. Now for the authentication select 'Radius Server”' and choose the Radius server created earlier in this article and select OK.

 

nprakash_5-1638475660399.png

 

Protected EAP with MS-CHAPv2 is an EAP type that is more easily deployed with EAP-TLS or PEAP-TLS because user authentication is accomplished by using password-based credentials (an AD Username and Password) instead of digital certificates or smart cards. Only servers running the NPS are required to have a certificate (we will see this in the NPS configuration). The administrator can choose not to use “Server Validation “in the wireless properties in the end user's pc, however, that is not recommended. When “Server Validation” is enabled, NPS will present its certificate to the client and the client after examining the certificate will have to Trust it. This certificate used by NPS can be issued by a public CA or by the private trust root CA deployed in the network.

 

Configuring NPS (Windows server 2019) for authentication and authorization


The goal here is to authenticate the user and return the correct attribute based on user group membership and forward the Radius Accounting packets to Fortigate for RSSO.


Client and Remote Radius Server Group Configuration:

  1. Make sure the NPS service is started and registered to the Active Directory.
  2. Right-click on 'Radius Clients', select New and populate the fields – Friendly Name, Address (FortiGate IP) and shared secret which must match FortiGate Radius server/RSSO agent configuration.

 

nprakash_6-1638475728278.png

 

  1. Right-Click “Remote RADIUS Server”, select “New”, enter the group name and click on “Add”.

 

nprakash_7-1638475760647.png

 

4. Use the IP Address of the Fortigate Interface that was configured to listen for “Radius Accounting” in the previous step.
5. Navigate to the “Authentication/Accounting” tab:
a. Un-check “Use the same shared secret for the authentication and accounting”.
b. Enter the shared secret configured on the FortiGate for the Radius server/RSSO Agent and click OK.

 

nprakash_8-1638475791776.png

 

Configuring Connection Request Policy
1. Right-Click on “Connection Request Policy” and select New.
2. Provide a name for the policy and navigate to the “Conditions” tab by clicking “Next”.

 

nprakash_9-1638475818667.png

 

3. Click “Add” and select a condition. Adding “Client IPv4 Address” binds this connect policy to the network policy in the next step. Provide the IP address of the FortiGate and Click ‘OK’ and “Add”.

 

nprakash_10-1638475847743.png

 

4. Next step is to Specify the Connection Request Forwarding. For Authentication, leave as default (Authenticate requests on this server). Click Accounting and check “Forward accounting requests to this remote RADIUS server group” and select the remote radius server group created earlier. Click on Next.

 

nprakash_11-1638475882726.png

 

5. Leave Specify Authentication Methods to default and click on Next.
6. Click Next on Configure Settings dialogue.
7. Click Finish on the Completing connection request policy.

 

Configuring Network Policies


1. Right-Click on “Network Policies” and select New.
2. Provide a name for the policy and navigate to the “Conditions” tab by clicking “Next”.
3. Click “Add” and select a condition. Select “User Groups” and the group for the restricted users. Click OK and Add.

 

nprakash_12-1638475922653.png

 

4. Leave Specify Access Permission to default (Access Granted) and click on Next
5. Next few steps are important because this is where the NPS certificate is linked. In the configure Authentication Methods page-


a. Select Add and Click on Protect EAP ( PEAP).

 

nprakash_13-1638475978406.png

 

b. Click on PEAP and click on Edit, select the certificate that the server should use to prove its identity to the client.

 

nprakash_14-1638476014002.png

 

6. Leave Configure Constraints to default.
7. In Configure settings, Add a Standard Radius Attribute – Class, provide the value for the string. This value should match the SSO attribute value in the RSSO user group. (case-sensitive). Click OK > Add > Next.

 

nprakash_15-1638476039245.png

 

  1. Verify and select Finish.

 

Troubleshooting:

To visualize the process lined out above, run the following FortiGate debug:

 

diag debug console timestamp enable
diag debug app fnbamd -1
diag debug app radiusd -1
diag debug enable

 

The first line shows the timestamps. fnbamd debug will show the authentication and Access-Requests/Access-Accept. radiusd debug will show the Accounting messages start, stop and interim updates.

Additionally, run a packet capture on the respective ports 1812 (RADIUS Authentication) and 1813 (RADIUS Accounting) to complement the debug with timestamps.

 

On FortiGate, the user can be monitored on the user dashboard or on CLI with

 

diagnose firewall auth list | grep -A 7 <IP>

Labels:
16642
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.