Regards,
I'm trying to create user authentication using the wired network. At the moment, I can get a person to connect to my switch and receive a box to authenticate themselves, and depending on their user group, they will enter VLAN X or VLAN Y. This is working.
My major issue is passing this information from FortiAuthenticator to FortiGate. Does anyone have any suggestions? I tried to do it through the Radius Accounting Proxy, but since I can't use the FAC as the source, I'm not succeeding (I'm trying using the Switch IP as the Source, and enabling accounting proxy at the switch, and FGT as the destination to my accounting proxy destination)
When I sniff on FortiGate at port 1813, I don't see anything besides the Switch sending the accounting to the FAC, so my problem is between FAC and FGT.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Rodrigo,
if you have a FortiGate then I would suggest using RSSO on FortiAuthenticator and FSSO on the FortiGate. The FortiAuthenticator can "translate" RSSO to FSSO. It reads RSSO with the respective values to create user and IP info and forwards this to FortiGate via regular FSSO.
Best regards,
Markus
Hello Markus,
Thanks for taking your time to reply!
I've seen this before, but in this case, it's using another Radius Server to authenticate the user and then, the FAC can accouting proxy this information by setting the Radius Server IP as the Proxy Source. In my case, I can't have this Radius Server, because the user authentication it's already be done by the FortiAuthenticator.
Hi Rodrigo,
Sorry I don't follow. Are you using FortiAuthenticator or another server for authentication?
In case of another server, you can send accounting to the FAC and FortiAuthenticator can do this as FSSO.
In case of FAC you have to see whether the RADIUS client can do likewise and send accounting to FortiAuthenticator for FSSO. FAC itself does not do accounting to itself. It can do a dirty trick and send syslog messages to 127.0.0.1 and evaluate these as FSSO though.
Best regards,
Markus
The RADIUS Authentication and Accounting will not interfere, it can be on same or in different servers. You just have to configure the Switch (NAS) to send accounting directly to FAC. On FAC you have to create a client entry for this switch with a source IP, the shared secret and select the attributes you want to extract:
and check if the SSO session is created with Source Radius Accounting:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.