1. Download and Set Up the RADIUS Test Tool.

Download radlogin4.exe from: https://www.iea-software.com/products/radiusnt/radlogin4.cfm and after installation, access the tool via: http://localhost:8020/.

2. Configure RADIUS Attributes.

Under the Request Profile option, configure the attributes to include in the RADIUS accounting message.

In the RADIUS attribute setting under the profile, all attributes can be added and configurable.

Ensure the Acct-Status-Type attribute is included and is set to ‘Start’, as it is mandatory for identifying the Accounting Start message by the FortiGate RSSO agent or Fortinet Collector Agent.

For wireless or wired clients, include the Framed-IP-Address attribute to indicate the user’s assigned IP address. This attribute is part of the RADIUS accounting message and is typically included in the Accounting-Request packet when the user's session starts.

Add the RADIUS accounting server under the RADIUS server settings.

3. FortiGate RSSO Agent Configuration.

• The FortiGate RSSO agent uses the Class attribute to match the RADIUS Attribute Value in the RSSO user group settings by default. This can be changed to other attributes like Calling-Station-Id. Further information can be found below document:

RADIUS single sign-on agent

• These attributes for successful group matching should be added as well.

• In this example, 10.56.241.12 is the FortiGate with the RSSO agent configured. The RSSO agent uses the Calling-Station-Id attribute as the criteria to match the user group.

• Part of the FortiGate configuration is shown below. The RADIUS Attribute Value in the RSSO group user group is set to Calling-Station-Id, which the RSSO agent uses to match users.

4. Initiate RADIUS Accounting Message.

• On the Radlogin page, select the RADIUS server and profile.
• Enter the User-Name in the Login field.
• Select Continue to send the RADIUS accounting message.

The screenshot below confirms that the test client successfully sent the Accounting-Request and received the Accounting-Response from the FortiGate RSSO agent.

5. Verify RADIUS Accounting on FortiGate.

Use the command diagnose firewall auth list to verify that the user is added to the firewall user list.

6. FSSO Collector Agent Configuration.

Configure the Collector Agent to monitor RADIUS accounting messages. Refer to the documentation for basic setup:

RADIUS accounting

Technical Tip: FSSO Collector Agent to Monitor Logon Events for Account using Alternative UPN Suffix

7. Verify RADIUS Accounting on Collector Agent.

In the example below, the RADIUS Accounting message was sent to the Collector Agent on the Domain Controller at 10.56.10.11.

On the Collector Agent, this RADIUS accounting message can be traced in the ‘View Log’.

The sample Log for the RADIUS message is as below:

02/16/2025 13:28:33 [ 6952] [D][DumpPacketData]RadiusPacket: data=000000E38BCFEB30, size=111

02/16/2025 13:28:33 [ 6952] [D][ShowHeaderInfo]RadiusPacket: Code=4, Id=8, Length=111, Auth={A3 DE 31 ... A4 11}

02/16/2025 13:28:33 [ 6952] [D][ShowAttributes]RadiusAttr: Type=  1, Length=  8, Value={67 7A 68 6F ...}

02/16/2025 13:28:33 [ 6952] [D][ShowAttributes]RadiusAttr: Type= 44, Length= 18, Value={31 37 33 39 ...}

02/16/2025 13:28:33 [ 6952] [D][ShowAttributes]RadiusAttr: Type= 31, Length= 12, Value={31 31 31 35 ...}

02/16/2025 13:28:33 [ 6952] [D][ShowAttributes]RadiusAttr: Type= 46, Length=  6, Value={00 00 00 B4 ...}

02/16/2025 13:28:33 [ 6952] [D][ShowAttributes]RadiusAttr: Type= 41, Length=  6, Value={00 00 00 02 ...}

02/16/2025 13:28:33 [ 6952] [D][ShowAttributes]RadiusAttr: Type= 25, Length=  8, Value={67 72 6F 75 ...}

02/16/2025 13:28:33 [ 6952] [D][ShowAttributes]RadiusAttr: Type= 26, Length= 14, Value={00 00 30 44 ...}

02/16/2025 13:28:33 [ 6952] [D][ShowAttributes]RadiusAttr: Type=  1, Length=  7, Value={74 65 73 74 ...}

02/16/2025 13:28:33 [ 6952] [D][ShowAttributes]RadiusAttr: Type= 40, Length=  6, Value={00 00 00 01 ...}

02/16/2025 13:28:33 [ 6952] [D][ShowAttributes]RadiusAttr: Type=  8, Length=  6, Value={0A 01 64 01 ...}

02/16/2025 13:28:33 [ 6952] [D][ShowAttributes]---- 10 Attribute(s)  91 bytes ----

For more details on tracing RADIUS Accounting logs on the Collector Agent, refer to the following article:

Troubleshooting tip : Tracing Radius accounting logs on Collector Agent debug logs for FSSO CA via R...

In this example, the Default Domain Name has been configured under the RADIUS Accounting settings. This allows the Collector Agent to process the user-name attribute (gzhong) and retrieve the associated group information from the domain. Below are the logs generated after the RADIUS message is processed.

02/16/2025 13:28:33 [ 6952] Bytes received from DC agent(2): 51 dcagent IP: 10.253.0.1, MT=00200000

02/16/2025 13:28:33 [ 6952] dcagent packet: add to queue, called:2, current:0

02/16/2025 13:28:33 [ 8908] process_dcagent_events called by worker:1

02/16/2025 13:28:33 [ 8908] dcagent packet: removed from queue, called:2 remain:0

02/16/2025 13:28:33 [ 8908] get dcagent event from processing queue by worker:1

02/16/2025 13:28:33 [ 8908] [D][Comm]W=001, PDE:HDE(0000027FEEB90CA0, 10.253.0.1, 51)-->

02/16/2025 13:28:33 [ 8908] dcagent packet: processed:2

02/16/2025 13:28:33 [ 8908] logon event(2): len:51 monitorType:2097152 dc_ip:10.253.0.1 time:1739672913 len:38 data:10.1.100.1/syd.fortilabapac.lab/gzhong ip:10.1.100.1

02/16/2025 13:28:33 [ 8908] ldaplib::search_s:383, baseDN:DC=syd,DC=fortilabapac,DC=lab

02/16/2025 13:28:33 [ 8908] ldaplib::search_s:390, filter:(&(objectclass=user)(objectcategory=person)(sAMAccountName=gzhong))

02/16/2025 13:28:33 [ 8908] ldaplib::search_s:400, attrib:distinguishedName, i:0

02/16/2025 13:28:33 [ 8908] ldaplib::search_s:400, attrib:objectClass, i:1

02/16/2025 13:28:33 [ 8908] ldaplib::ldap_search_s, the number of entries: 1

02/16/2025 13:28:33 [ 8908] DN:CN=george zhong,OU=ANZ,OU=Users,OU=APAC,DC=syd,DC=fortilabapac,DC=lab

02/16/2025 13:28:33 [ 8908] found user CN=george zhong,OU=ANZ,OU=Users,OU=APAC,DC=syd,DC=fortilabapac,DC=lab in the directory, checking group membership...

02/16/2025 13:28:33 [ 8908] member:CN=testgroup,OU=ANZ,OU=Users,OU=APAC,DC=syd,DC=fortilabapac,DC=lab

02/16/2025 13:28:33 [ 8908] member:CN=ANZ-TAC,OU=ANZ,OU=Users,OU=APAC,DC=syd,DC=fortilabapac,DC=lab

02/16/2025 13:28:33 [ 8908] primarygroupID:S-1-5-21-4034274932-779386742-172250040-513

02/16/2025 13:28:33 [ 8908] ldaplib::search_s:383, baseDN:DC=syd,DC=fortilabapac,DC=lab

02/16/2025 13:28:33 [ 8908] ldaplib::search_s:390, filter:(objectSid=S-1-5-21-4034274932-779386742-172250040-513)

02/16/2025 13:28:33 [ 8908] ldaplib::search_s:400, attrib:distinguishedName, i:0

02/16/2025 13:28:33 [ 8908] ldaplib::ldap_search_s, the number of entries: 1

02/16/2025 13:28:33 [ 8908] DN:CN=Domain Users,CN=Users,DC=syd,DC=fortilabapac,DC=lab

02/16/2025 13:28:33 [ 8908] check member for group: CN=Domain Users,CN=Users,DC=syd,DC=fortilabapac,DC=lab

02/16/2025 13:28:33 [ 8908] member:CN=Users,CN=Builtin,DC=syd,DC=fortilabapac,DC=lab

02/16/2025 13:28:33 [ 8908] check member for group: CN=ANZ-TAC,OU=ANZ,OU=Users,OU=APAC,DC=syd,DC=fortilabapac,DC=lab

02/16/2025 13:28:33 [ 8908] check member for group: CN=testgroup,OU=ANZ,OU=Users,OU=APAC,DC=syd,DC=fortilabapac,DC=lab

02/16/2025 13:28:33 [ 8908] member:CN=ANZ-TAC,OU=ANZ,OU=Users,OU=APAC,DC=syd,DC=fortilabapac,DC=lab

After successful RADIUS accounting, the user will appear in the Logon Users List on the Collector Agent.