- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- How to set this up correctly. Fortigate, NPS and C...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set this up correctly. Fortigate, NPS and Cisco Wireless
Hi Guys,
So the above are the devices I need to set up. This was working before but some changes were made and I can't seem to get it right.
So the wireless device speaks to the Cisco AP who then speaks to the Cisco WLC. He has 802.1X configured and speaks to NPS to authenticate the user. This is working perfectly and the user can connect.
Now the part that I am struggling with... How do I set up RSSO on the Fortigate so I can see the users on the logs? I have tried doing some googling but alot of what I find is relating to FortiAP's and RSSO and its a bit different.
Any help will be greatly appreciated.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
in short:
At the NPS you need to enable radius accounting to be sent to the FGT
Also on NPS you need to add attribute of Class as this value is used by FGT to map users into RSSO groups
Then enable radius-accounting listens on the FGT interface
At FGT user & device:
Create the RSSO single sign on, create the RSSO agent
Create the user group definition to be RSSO group
Edit you radius settings in CLI from FGT
1.
fw (RSSO Agent) # set rsso-endpoint-attribute User-Name
Sorry, was a very version, let me know if this point into the right direction?
/Brian
Regards
Brian, at Fortinet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in short follow the cookbook http://cookbook.fortinet.com/rsso-wifi-access-control/
and from step "5. Configure the RADIUS server" on, set NPS to allow your AP (instead of FortiAP) to authenticate towards AD (probably done) and also send RADIUS accounting to FortiGate unit, whenever user authenticate via the policy.
In step 8 and section "Select RADIUS Attributes" pay attention to the AVP sent from NPS to FortiGate with user group membership. As this AVP (by default 'Class' but configurable as CLI 'rsso-attribute') has to match to FortiGate's rsso-attribute, and it's value has to match to the FortiGate's group config of 'RADIUS Attribute Value' (CLI user group <X> / sso-attribute-value).
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, man. So seems I just had to change one small thing.
I was sending accounting from the WLC directly to the Forti. Changed it to send accounting to NPS and NPS to Forti and this seemed to fix it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IF, there is anything else generating complete accounting-request (start/stop/interim), like WireLess Controller (WLC), then you can send those data to FortiGate (FGT) from such source directly.
I usually do not tend to trust to NAS end points, so my approach is to generate accounting on the RADIUS server, on the server which did authentication and has idea about the user.
But final design is up to you.
The only things FGT needs in RSSO (complete accounting-request) are
- username (endpoint)
- Framed-IP-Address (to know authenticated source IP as at the end for firewall it is source traffic authentication)
- and some group match attribute (sso-attribute and its value, by default Class AVP).
If there is anything missing on RADIUS server, like Framed-IP-Address, which is granted by DHCP, requested by WLC, and assigned to user post-authentication, then RADIUS server (NPS) might not know the IP, and therefore it is better to send accounting from (hopefully secured & trusted) WLC who does have IP address from DHCP (as it has to assign IP during association between end station and SSID on some AP).
There is multiple ways to design that whole SSO.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
I'm back with this same issue.
Previously I had all the gateways terminating on the core switch which had a default route up to the Fortigate.
I have moved the L3 up to the Foritgate for more granular control but now the wireless accounting is not working. (If I specify the user group they do not get internet).
What I am getting a bit confused with is which interface to send the accounting packets.
1) The interface for wifi users
2) the interface used for AP mgmt and how the wireless controller speaks to the ap
3) The server interface which NPS is on
I hope this makes sense
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure I got your current setup, but if you are sending RADIUS accounting from NPS to FGT to get RSSO done on FGT.
Then you should have one interface through which you can get from FGT to NPS and back. Then on this interface 'set allowaccess' have to contain 'radius-acct' and so let incoming accounting packets in.
+ RSSO agent .. basically:
config user radius
edit RSSO
set rsso enable
end
config user group edit "RSSO" set group-type rsso set sso-attribute-value "rsso-auth-group" next end
That is very default and minimalist.
And if RADIUS accounting arrives with Calling-Station-Id (as user identification) and Class (as group attribute which has to match to set "rsso-auth-group") then the user will be seen as member of the RSSO group.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.
Put this diagram together quickly to show you the physical layout.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is my config on the Forti:
config user radius edit "RSSO_Agent" set rsso enable set rsso-radius-response enable set rsso-validate-request-secret enable set rsso-secret ENC BXiNG0vcXg2UeyOJNYXd1wOtB4nTooBXm8V5ZZEWPSEFWtSWGDCyEuFaKu02cW0IPL8sEqpE0ozoYC0VnDTwlrwhjNuCmdoP3cTrpsl+s4RE1erF7kfHjYeVARsynVT47bVwW3d6nkeLamk4lAmX+PjlocuSXxIPOsq9VsE3cVfTsigRBaJ/gXLwiLwbevv/elUPeA== set rsso-endpoint-attribute User-Name set rsso-endpoint-block-attribute Called-Station-Id set rsso-context-timeout 43200 next end
edit "RSSO_Wireless_Users" set group-type rsso set sso-attribute-value "Wireless_Users"
edit 17 set name "WIFI TO INTERNET" set uuid 445819c4-055d-51e5-bcc8-ffabc3471504 set srcintf "Wireless-Segeme" set dstintf "wan1" set srcaddr "Wireless Segment" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set rsso enable set groups "RSSO_Wireless_Users" set comments "28th May 2015" set av-profile "default" set webfilter-profile "Corp" set dlp-sensor "Credit-Card" set ips-sensor "default" set application-list "Corp" set profile-protocol-options "default_Corp_sc" set ssl-ssh-profile "certificate-inspection" set traffic-shaper "Corp - Guaranteed" set traffic-shaper-reverse "Corp - Guaranteed" set nat enable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The users are authenticating so that section is fine.
I have set up a remote radius group with the Fortigates Wireless LAN IP(172.16.44.1) and forwarding accounting to there
Related Posts
Labels
-
FortiGate
6,764 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
346 -
FortiClient EMS
274 -
FortiMail
263 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
FortiMonitor
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.