Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RodrigoAndrade
New Contributor

FortiAuthenticator RSSO with 802.1x and FortiGate

Regards,

I'm trying to create user authentication using the wired network. At the moment, I can get a person to connect to my switch and receive a box to authenticate themselves, and depending on their user group, they will enter VLAN X or VLAN Y. This is working.

My major issue is passing this information from FortiAuthenticator to FortiGate. Does anyone have any suggestions? I tried to do it through the Radius Accounting Proxy, but since I can't use the FAC as the source, I'm not succeeding (I'm trying using the Switch IP as the Source, and enabling accounting proxy at the switch, and FGT as the destination to my accounting proxy destination)

When I sniff on FortiGate at port 1813, I don't see anything besides the Switch sending the accounting to the FAC, so my problem is between FAC and FGT.

4 REPLIES 4
Markus_M
Staff
Staff

Hi Rodrigo,

 

if you have a FortiGate then I would suggest using RSSO on FortiAuthenticator and FSSO on the FortiGate. The FortiAuthenticator can "translate" RSSO to FSSO. It reads RSSO with the respective values to create user and IP info and forwards this to FortiGate via regular FSSO.

https://community.fortinet.com/t5/FortiAuthenticator/Solution-Guide-Fortinet-Solutions-RSSO-RADIUS-S...

 

Best regards,

 

Markus

RodrigoAndrade

Hello Markus,

Thanks for taking your time to reply!

I've seen this before, but in this case, it's using another Radius Server to authenticate the user and then, the FAC can accouting proxy this information by setting the Radius Server IP as the Proxy Source. In my case, I can't have this Radius Server, because the user authentication it's already be done by the FortiAuthenticator.

Markus_M

Hi Rodrigo,

 

Sorry I don't follow. Are you using FortiAuthenticator or another server for authentication?

In case of another server, you can send accounting to the FAC and FortiAuthenticator can do this as FSSO.

In case of FAC you have to see whether the RADIUS client can do likewise and send accounting to FortiAuthenticator for FSSO. FAC itself does not do accounting to itself. It can do a dirty trick and send syslog messages to 127.0.0.1 and evaluate these as FSSO though.

 

Best regards,

 

Markus

 

ebilcari

The RADIUS Authentication and Accounting will not interfere, it can be on same or in different servers. You just have to configure the Switch (NAS) to send accounting directly to FAC. On FAC you have to create a client entry for this switch with a source IP, the shared secret and select the attributes you want to extract:

sso acc.PNG

and check if the SSO session is created with Source Radius Accounting:

accounting.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors