FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff
Description
This article describes the support for Okta RADIUS attributes filter-Id and class.

Solution
In this example, a FortiAuthenticator is used as the RADIUS server. A local RADIUS user on the FortiAuthenticator is configure with two groups in the filter-Id attribute: okta-group1 and okta-group2.

To create the RADIUS user and set the attribute type to override group information:
# config user radius
    edit "FAC193"
        set server "10.1.100.189"
        set secret **********
        set group-override-attr-type filter-Id
    next
end
FortiOS will only use the configured filter-Id attribute, even if the RADIUS server sends group names in both class and filter-id attributes. To return group membership information from the class attribute instead, set group-override-attr-type to class.

To configure group match in the user group.

- Go to User & Authentication -> User Groups.
- Select 'Create New'.
- Enter a name for the group, and set Type to Firewall.
- In the Remote Groups table, select 'Add'.
- Set Remote Server to the just created RADIUS server, FAC193.
- Set Groups to Specify, and enter the group name, okta-group2.

The string has to match the group name configured on the RADIUS server for the filter-Id attribute.





- Select 'OK'.

The remote server is added to the Remote Groups table.

-Select 'OK'.
- Add the new user group to a firewall policy and generate traffic on the client PC that requires firewall authentication, such as connecting to an external web server.
- After authentication, on the FortiGate, verify that traffic is authorized in the traffic log:
- Go to Log & Report -> Forward Traffic.
- Verify that the traffic was authorized.

To use the remote user group with group match in a system wildcard administrator configuration.

- Go to System -> Administrators.
- Edit an existing administrator, or create a new one.
- Set Type to Match all users in a remote server group.
- Set Remote User Group to the remote server.





Configure the remaining settings as required.

- Select 'OK'.
- Log in to the FortiGate using the remote user credentials on the RADIUS server.
- If the correct group name returned in the filter-Id attribute, administrative access is allowed.


Contributors