Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sthapa
Staff
Staff

Created on ‎12-14-2020 11:49 PM Edited on ‎09-26-2025 09:04 AM By Moderator

Article Id 197897

Troubleshooting Tip: How to troubleshoot issues with RSSO

Description

 

This article describes steps to troubleshoot RSSO issues.

 

Scope

 

FortiGate.

Solution

 

Using RSSO, a FortiGate can authenticate users who have been authenticated on a remote RADIUS server. User groups can be configured to match the groups the user belongs too.  These user groups can then be applied to firewall policies for inspection by UTM profiles.

To configure RSSO user groups, see RADIUS single sign-on agent - FortiGate administration guide.

See the following steps to help troubleshoot RSSO issues on the FortiGate.

 

  1. Run the following debug commands in FortiGate to check the RADIUS accounting packet:

 

diagnose debug application fnbamd -1
diagnose debug application radiusd -1
diagnose debug enable

 

To disable the debug command outputs:

 

diagnose debug disable

diagnose debug reset

 

Example output:

 

Received radius accounting eventvd 0:root Add/Update auth logon for IP
 172.31.128.30 for user sumit DB 0 insert [ep='sumit' pg='group1ip='172.31.128.30/32'] success

 

The RSSO group name is 'group1', the user name is 'sumit'.

 

  1. use the 'diagnose firewall auth list' command to verify RSSO users are authorized on the on FortiGate.

 

diagnose firewall auth list

172.31.128.30, sumit type: rsso, id: 0, duration: 13, idled: 13
        flag(10): radius  server: root
        packets: in 0 out 0, bytes: in 0 out 0
        group_id: 3
        group_name: RS                         <----- Tagged group.
----- 1 listed, 0 filtered ------

 

  1. Depending on the attribute value pairs being used bu the RADIUS server for the accounting messages the 'rsso-endpoint-attribute' and 'sso-attribute' settings may need to be adjusted.

 

config user radius

    edit "RSSO Agent"
        set rsso-endpoint-attribute <attribute> <----- This is the attribute for the username.

        set sso-attribute <attribute> <----- This is the attribute for the user group.
    next
end

 

The following attributes can be configured:

 

User-Name
NAS-IP-Address
Framed-IP-Address
Framed-IP-Netmask
Filter-Id
Login-IP-Host
Reply-Message
Callback-Number
Callback-Id
Framed-Route
Framed-IPX-Network
Class
Called-Station-Id
Calling-Station-Id
NAS-Identifier
Proxy-State
Login-LAT-Service
Login-LAT-Node
Login-LAT-Group
Framed-AppleTalk-Zone
Acct-Session-Id
Acct-Multi-Session-Id

 

To verify what attributes are being used, it may be necessary to capture the RADIUS accounting messages. This can be done with a sniffer in the CLI or with the GUI packet capture tool.

 

To use the GUI packet capture tool, see Troubleshooting Tip: Packet Capture in the FortiOS GUI.

 

To use the sniffer in the CLI to capture RADIUS accounting messages:

 

diagnose sniffer packet any 'host <IP of RADIUS server> and port 1813' 6 0 l

 

For example, in the following case, user information is passed in the 'User-Name' attribute. Modify the following rsso-endpoint-attribute from the FortiGate.

 
config user radius

    edit "RSSO Agent"
       set rsso-endpoint-attribute User-Name    <---- Change attribute.
    next
end

 

From v7.6.0, RSSO user information can sync with FGSP cluster peers:

RSSO authenticated user logon information synchronized between FGSP peers - FortiGate documentation

Labels:
7922
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.