Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
17g
New Contributor

FSSO - Wifi - Radius/NPS Groups Confusion

Hi guys

 

I have x2 FSSO collector agents installed on 2 DCs (for redundancy) that monitor 5 DCs via DC Agent. This works well and LAN users show up on the Fortigate nicely.

 

To get Wifi Devices/Users identified on the Fortigate and usernames associated to devices I have done the following

 

1. On my Unifi AP I have pointed Radius Accounting direct to the firewall with a new psk

2. On the Fortigate I have setup an RSSO Agent in Single Sign-on. I have added the same psk to this

3. I set rsso-endpoint-attribute User-Name on the Fortigate

 

This works nicely as well. My question is how do I get groups working with this? For example I have multiple AD groups for web filtering. Examples are: proxy_allowall, proxy_allow media, proxy_standard etc - A user can only be a member of 1 group. I want to be able to use these groups to match against web filtering polices. How can I associate RSSO groups with NPS? I get I need to add the class attribute to NPS but how do I handle multiple groups?

 

Many thanks!

1 Solution
bandersen_FTNT

Hi

A similar setup is here: http://cookbook.fortinet.com/forticonnect-guest-boarding-using-rsso-56/

and the usage for this is where our FortiConnect check AD groups and map these into FortiConnect Account Groups, which again maps to RADIUS attribute with corrosponding value.

So for NPS it would be similar, where you can use AD Group to create different Network Policies, and then map different Class attribute values.

/Brian

Regards

Brian, at Fortinet

View solution in original post

2 REPLIES 2
bandersen_FTNT

Hi

A similar setup is here: http://cookbook.fortinet.com/forticonnect-guest-boarding-using-rsso-56/

and the usage for this is where our FortiConnect check AD groups and map these into FortiConnect Account Groups, which again maps to RADIUS attribute with corrosponding value.

So for NPS it would be similar, where you can use AD Group to create different Network Policies, and then map different Class attribute values.

/Brian

Regards

Brian, at Fortinet

17g

Thanks Brian. I got this all sorted now. The key things I was missing was:

 

1. NPS has to do the sending of RADIUS Accounting to the fortigate

2. As you mentioned multiple network policies need to be created with custom attribute to pass onto Fortigate

 

Happy days