Hi guys
I have x2 FSSO collector agents installed on 2 DCs (for redundancy) that monitor 5 DCs via DC Agent. This works well and LAN users show up on the Fortigate nicely.
To get Wifi Devices/Users identified on the Fortigate and usernames associated to devices I have done the following
1. On my Unifi AP I have pointed Radius Accounting direct to the firewall with a new psk
2. On the Fortigate I have setup an RSSO Agent in Single Sign-on. I have added the same psk to this
3. I set rsso-endpoint-attribute User-Name on the Fortigate
This works nicely as well. My question is how do I get groups working with this? For example I have multiple AD groups for web filtering. Examples are: proxy_allowall, proxy_allow media, proxy_standard etc - A user can only be a member of 1 group. I want to be able to use these groups to match against web filtering polices. How can I associate RSSO groups with NPS? I get I need to add the class attribute to NPS but how do I handle multiple groups?
Many thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
A similar setup is here: http://cookbook.fortinet.com/forticonnect-guest-boarding-using-rsso-56/
and the usage for this is where our FortiConnect check AD groups and map these into FortiConnect Account Groups, which again maps to RADIUS attribute with corrosponding value.
So for NPS it would be similar, where you can use AD Group to create different Network Policies, and then map different Class attribute values.
/Brian
Regards
Brian, at Fortinet
Hi
A similar setup is here: http://cookbook.fortinet.com/forticonnect-guest-boarding-using-rsso-56/
and the usage for this is where our FortiConnect check AD groups and map these into FortiConnect Account Groups, which again maps to RADIUS attribute with corrosponding value.
So for NPS it would be similar, where you can use AD Group to create different Network Policies, and then map different Class attribute values.
/Brian
Regards
Brian, at Fortinet
Thanks Brian. I got this all sorted now. The key things I was missing was:
1. NPS has to do the sending of RADIUS Accounting to the fortigate
2. As you mentioned multiple network policies need to be created with custom attribute to pass onto Fortigate
Happy days
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.