Description
This article describes how to troubleshoot RSSO issues.
Scope
FortiGate.
Solution
With RSSO, a FortiGate can authenticate users who have authenticated on a remote RADIUS server. Based on which user group the user belongs to, the security policy applies the appropriate UTM profiles.
Below step for troubleshoot RSSO issue in the FortiGate.
- Run the below debug in FortiGate to check the radius accounting packet.
diagnose debug application fnbamd -1
diagnose debug application radiusd -1
diagnose debug en
Sample Output:
Received radius accounting eventvd 0:root Add/Update auth logon for IP
172.31.128.30 for user sumit DB 0 insert [ep='sumit' pg='group1'
ip='172.31.128.30/32'] success
> RSSO group name is pg='group1', ep='sumit' is user-name.
- Command to verify RSSO user auth list in FortiGate.
diagnose firewall auth list
172.31.128.30, sumit type: rsso, id: 0, duration: 13, idled: 13
flag(10): radius server: root
packets: in 0 out 0, bytes: in 0 out 0
group_id: 3
group_name: RS <----- Tagged group.
----- 1 listed, 0 filtered ------
- Modify the default value for rsso-endpoint-attribute might work in common remote access scenarios where users are identified by their unique Calling-Station-Id,
but in other scenarios the user name might be in a different attribute.
config user radius
edit "RSSO Agent"
set rsso-endpoint-attribute <attribute>
next
end
Example, In the below case user information is passed in the 'User-Name' attribute. Modify the below rsso-endpoint-attribute from the FortiGate.
config user radius
edit "RSSO Agent"
set rsso-endpoint-attribute User-Name <---- change attribute.
next
end
From v7.6.0, RSSO user information can sync with FGSP cluster peers:
RSSO authenticated user logon information synchronized between FGSP peers
