Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
akala
New Contributor II

Created on ‎08-05-2022 03:25 AM

Fortigate Combining RSSO and FSSO

Hi All,

 

Is it possible to combine RSSO and FSSO on the sametime ?

 

I want to configure the policy using FSSO group becasue FSSO Group is more granular for the grouping as we can choose or retrieve the SG / OU on the AD which we want to add. And in the sametime i want fortigate to lookup on the RSSO authentication table list for IP to User mapping. Because RSSO is more reliable fof IP to User mapping. However i dont want to add attribute class on the Radius Server. So basically i just want to use RSSO to get the IP to user mapping information, and use FSSO group on the Policy.

 

Is it possible ? any advice ?

 

Thanks

akala

Labels:
6373
0 Kudos
2 Solutions
akala
New Contributor II

Created on ‎08-05-2022 05:52 AM

Hi Debbie,

 

Thank you for the replies. That's great! that's the information i was looking for this couple days!

So instead of using RSSO, i can use Collector Agent, and send the Radius Accounting to Collector Agent.

Regarding the Collector Agent,

1. do i need to install the collector agent on the LDAP Server or i can install collector agent on any computer ? i red that installing collector agent requires to restart the host, is it correct ?

2. is there any configuration need to be done on the Collector Agent, so it can parse the radius accounting messages and add the users to FSSO user list? any reference for integration between radius and collecor agents?

 

Again, thank you for your advice.

View solution in original post

6365
Debbie_FTNT
Staff
Staff
In response to akala

Created on ‎08-05-2022 06:52 AM

Hey akala,

 

apologies, I was under the impression you're already using Collector Agent for FSSO, and the integration would have been fairly easy then.

If you are not using Collector Agent, can you let me know if you're polling from FortiGate directly, or using FortiAuthenticator to collect and provide FSSO information?

If you use FortiAuthenticator, you can do essentially the same (send RADIUS accounting to FortiAuthenticator, turn that into FSSO and share with FortiGate), but if you're polling AD directly from FortiGate, this would in fact require setting up a Collector Agent (and you could consider shifting your polling from FortiGate to Collector Agent, as Collector Agent offers more configuration options for that, and load on FortiGate itself would be reduced).

In either case, for Collector Agent setup:
- it needs to run on a server in your AD environment (that server can't also host a FortiClient EMS application), but it doesn't have to be a domain controller

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/573568/installing-the-fsso-agent
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/615946/agent-based-fsso-for-windows-ad

-> there could be conflict if you have an NPS role on the same server as the default port of 1813 might overlap
- you need to enable RADIUS accounting in the advanced settings on Collector Agent:

Debbie_FTNT_0-1659707180586.png

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

6357
10 REPLIES 10
Debbie_FTNT
Staff
Staff

Created on ‎08-05-2022 04:58 AM

Hey akala,

you can do something like this with the following setup:

- instead of RSSO on FortiGate, send accounting to collector agent

- Collector Agent can parse the radius accounting messages and add the users to FSSO user list

- Collector Agent then checks LDAP for group info

- Collector Agent sends logins from RADIUS accounting as FSSO logins (with FSSO groups) to FortiGate

- On FortiGate, you would just see FSSO users, but some of those FSSO users come from RADIUS Accounting indirectly

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
6103
Paccers
New Contributor
In response to Debbie_FTNT

Created on ‎03-20-2024 11:33 PM

Hi @Debbie_FTNT I just wanted to ask one thing around sending RADIUS Accounting to the collector agent.

 

If we forward Accounting to the FortiGate for RSSO session creation, there is the 'set rsso-flush-ip-session' command available which we can use to NOT close a session if an Accounting Stop is received.

 

Is there a way to be able to do this if we're sending RADIUS Accounting via the agent and not direct to the FortiGate?

2726
0 Kudos
Debbie_FTNT
Staff
Staff
In response to Paccers

Created on ‎05-27-2024 07:56 AM

Hey Paccers,

sorry, I only just saw your post. To my knowledge, there is no such setting on Collector Agent, sorry.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1787
0 Kudos
akala
New Contributor II

Created on ‎08-05-2022 05:52 AM

Hi Debbie,

 

Thank you for the replies. That's great! that's the information i was looking for this couple days!

So instead of using RSSO, i can use Collector Agent, and send the Radius Accounting to Collector Agent.

Regarding the Collector Agent,

1. do i need to install the collector agent on the LDAP Server or i can install collector agent on any computer ? i red that installing collector agent requires to restart the host, is it correct ?

2. is there any configuration need to be done on the Collector Agent, so it can parse the radius accounting messages and add the users to FSSO user list? any reference for integration between radius and collecor agents?

 

Again, thank you for your advice.

6366
Debbie_FTNT
Staff
Staff
In response to akala

Created on ‎08-05-2022 06:52 AM

Hey akala,

 

apologies, I was under the impression you're already using Collector Agent for FSSO, and the integration would have been fairly easy then.

If you are not using Collector Agent, can you let me know if you're polling from FortiGate directly, or using FortiAuthenticator to collect and provide FSSO information?

If you use FortiAuthenticator, you can do essentially the same (send RADIUS accounting to FortiAuthenticator, turn that into FSSO and share with FortiGate), but if you're polling AD directly from FortiGate, this would in fact require setting up a Collector Agent (and you could consider shifting your polling from FortiGate to Collector Agent, as Collector Agent offers more configuration options for that, and load on FortiGate itself would be reduced).

In either case, for Collector Agent setup:
- it needs to run on a server in your AD environment (that server can't also host a FortiClient EMS application), but it doesn't have to be a domain controller

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/573568/installing-the-fsso-agent
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/615946/agent-based-fsso-for-windows-ad

-> there could be conflict if you have an NPS role on the same server as the default port of 1813 might overlap
- you need to enable RADIUS accounting in the advanced settings on Collector Agent:

Debbie_FTNT_0-1659707180586.png

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
6358
akala
New Contributor II
In response to Debbie_FTNT

Created on ‎08-05-2022 08:32 AM

Hi Debbie, 

thank you for the reply. actually we have not configure the FSSO yet on our deployment. Still planning how we will do it. Based on your information, i think the best way is to use collector agent. And send the radius accounting from the NPS to the CA.

So installing the CA on any computer which joined domain will works right ? is it require to restart the computer after installing the CA ?

6092
0 Kudos
akala
New Contributor II
In response to Debbie_FTNT

Created on ‎08-18-2022 11:04 AM

Hi Debby,

 

Hope you are doing well !

Since we will send the radius accounting log to Collector Agent, is there any consideration for the disk space/disk requirement/ram on the Windows Server which the CA installed ?

6037
0 Kudos
Debbie_FTNT
Staff
Staff
In response to akala

Created on ‎08-19-2022 04:45 AM

Hey akala,

there shouldn't be any particular additional resource requirements that I'm aware of, though it depends a bit on how much RADIUS accounting you intend to send.

I would suggest to simply keep an eye on it, and if you notice a delay between RADIUS accounting and the user showing as authenticated, that indicates there may be a resource issue and additional memory/CPU may be required.

There should be no additional disk requirements; the largest disk requirements for Collector Agent is the log file, really.

One thing to be aware of:
- if the server running the Collector Agent also hosts an NPS, you might run into issues on listening on default port 1813, and you might need to change the RADIUS accounting port on Collector Agent to something else (and allow that port through the windows firewall)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
6027
Kubajs
New Contributor III
In response to Debbie_FTNT

Created on ‎02-23-2024 01:48 AM

Hello @Debbie_FTNT 

I want to do the same as @akala , however I would need some advice. I have a working FSSO and now I would like to add only enumeration of users who log in with private devices via radius. I have both the Collector agent and NPS installed on the DC. In advanced settings I have enabled radius accounting, however I don't see anything in the firewall yet. Is there anything else I need to set up other than these settings?
Thank you.

2979
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.