Created on ‎10-02-2019 02:07 AM Edited on ‎06-09-2022 02:47 PM By Anonymous
Description
This article describes the steps to configure FortiGate to send RADIUS Accounting messages containing usernames and IP address of SSL VPN users.
Useful links:
CLI Reference: https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/403620/user-radius
Scope
FortiGate v5.6.11+
FortiGate v6.0.7+
FortiGate v6.2.1+
Solution
Consider the bellow important requirements before implementing this solution:
- FortiGate should be running FortiOS versions 5.6.11+, v6.0.7+ or v6.2.1+.
In earlier versions, FortiOS will report the client’s public IP address instead of the assigned tunnel IP address in the 'Framed-IP-Address' attribute value.
- The attribute 'Framed-IP-Address' will not be included in the RADIUS Accounting-Request Start message. It will be included only in Interim-Updates and Accounting Stop message.
- The Interim Accounting-Request won't be sent unless the radius server sends AVP: 'Acct-Interim-Interval' in the 'Access-Accept' message.
Also, the Interim-Updates feature must be enabled on FortiGate under RADIUS profile.
- The minimum update interval for interim accounting messages can be set to 600 seconds.
There are two steps to complete this configuration:
1) Configure SSL VPN access for RADIUS users.
Example: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/551553/ssl-vpn-with-radius-and-fortitoke...
2) Configure Fortigate to send RADIUS Accounting:
#config user radius
edit <RADIUS_PROFILE_NAME>
set server <Radius_Server_IP> <----- Specify the IP address of the RADIUS authentication server.
set secret <password> <----- Secret used to authenticate with the RADIUS authentication server.
set acct-interim-interval 600 <----- Enable sending of Interim Accounting updates every 10 minutes.
config accounting-server
edit 1
set status enable <----- Enable sending of RADIUS Accounting messages.
set server <Radius_Server_IP> <----- Specify the IP address of the RADIUS accounting server.
set secret <password> <----- Secret used to authenticate with the RADIUS accounting server.
next
end
next
end
3) Ensure the RADIUS server is configured to send AVP 'Acct-Interim-Interval:600' in the Access-Accept message.
Example:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.