FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mkirollos
Staff
Staff
Article Id 213224
Description

This article describes the configuration required for FortiGate to send RADIUS accounting messages to FortiAuthenticator

 

In this scenario, FortiGate port9 with IP x.x.x.x is connected to FortiAuthenticator port2 with IP y.y.y.y

Scope FortiGate and FortiAuthenticator.
Solution

Section A: FortiGate Configuration

  1. FortiAuthenticator is configured as the RADIUS server, with the correct IP address and password.

GUI configuration:

 

mkirollos_14-1653698902155.png

 

CLI configuration:

 

config user radius

edit FAC

set server y.y.y.y

set secret Fortinet

set nas-ip x.x.x.x

end

 

  1. FortiAuthenticator is configured as the RADIUS accounting server from FortiGate CLI with the correct IP. The secret password and port number match the port number of the FortiAuthenticator RADIUS Accounting monitor port as in FortiAuthenticator configuration step 3.

 

config user radius

edit FAC

conf accounting-server

edit 1

set status enable

set server y.y.y.y

set secret ********

set port 1646

end

end

 

Verify the config applied using the following command:

 

show user radius

 

Section B: FortiAuthenticator Configuration.

 

  1. FortiGate is a RADIUS Client with the correct IP address (x.x.x.x in this example), a secret password (will be used in FortiGate configuration step 2), and 'Accept RADIUS accounting messages for usage enforcement' enabled.

 

mkirollos_15-1653698902160.png

 

  1. The interface connected to FortiGate has a RADIUS accounting monitor enabled on the interface with IP y.y.y.y.

 

mkirollos_16-1653698902173.png

 

Note that 'RADIUS Accounting Monitor' (and port) is used for Usage-policy definition. If a user has a usage policy applied, bandwidth or time can be used to remove the logged in user from the network, if exceeded.
The 'RADIUS Accounting SSO' (and port) is used to create FSSO sessions which in turn would help creating FSSO sessions for SSL VPN users which, by the nature of FSSO, would otherwise be delayed until a login event had been created by the user to the domain controller.

 

  1. Check and make note of the RADIUS Accounting monitor port number. The default is port 1646: use it to configure the FortiGate as per step 2 in the FortiGate config section.

 

mkirollos_17-1653698902175.png

 

After configuring all of the above, establish a test connection using a user authentication method like FortiClient SSL-VPN for example. After the connection is successful, the user radius accounting session will populate in FortiAuthenticator.

Note the authentication session must be valid and real time for the session to remain in the Active section.

 

mkirollos_18-1653698902178.png

 

To view previous sessions, select cumulative as shown below:

 

mkirollos_19-1653698902182.png

 

Related article:

Technical Tip: Fortinet Solutions RSSO (RADIUS Single Sign On).