Hello everyone,
I'm testing RSSO Authentication usign NPS Radius. Until now, I managed to see the authenticated user on Firewall monitor by sending the accounting packets from AP first to NPS, and then NPS to Fortigate. However, the group is empty, altough I already set the class AVP on the NPS policy.
I tried also with Filter-ID AVP, but it doesnt work.
To check configuration on Fortigate, I tested with radclient tool and it works well, I can see my test3 user correctly assign to the RSSO_Group.
I notice that the problem is that NPS doesnt send the class AVP on accounting request to FG, I just saw it on the Access-Acept from NPS to AP.
Not class AVP on accounting-request packet from NPS to Fortigate:
For the capture, I think the problem is a missing configuration on NPS but not sure, If someone know how to fix it, I really appreciate your help.
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
In short your observation is correct, it seems that NPS is not able to enhance Accounting-Request packets and add Class into them. In a bit longer, and with more details from my testing: NPS does NOT send Accounting-Request packets to FGT on it's own, but is able to resend those if set to "Forward accounting requests to this remote RADIUS server group" in Connection Request Policies.
NPS do NOT respect, or use, what's set in Connection Request Policies / Settings / RADIUS Attributes. And those AVPs are NOT attached to forwarded accounting requests.
Those AVPs ARE USED and added to Access-Accept when NPS does accept Access-Request and validates user credentials OK.
Therefore, if your WLC (wireless controller / access point) does authenticate users against NPS, and so collect Access-Accept, WITH AVPs like Class containing right string (the one used in firewall group and sso-attribute-value on FGT).
Then this WLC should transfer Class AVP from received Access-Accept to newly formed Accounting-Request Type=Start.
Then NPS can/will forward it to FGT. However in this point I do not see any reason why not send it directly to FGT.
When I used NTRADPing tool to send crafted Accounting-Request type=start to NPS, and that one contained Class="VIP", Framed-IP-Address=10.10.10.1 + User-Name="usera".
Then this one was forwarded to set FGT with those AVPs kept intact.
Config on FGT to receive RSSO data (+ allowaccess radius-acct on port) as bellow:
config user radius edit "RSSO" set rsso enable set rsso-radius-response enable set rsso-endpoint-attribute User-Name <<< to have usernames, not MAC addresses in log and SSO user list next end
config user group edit "RSSO_Users" set group-type rsso set sso-attribute-value "VIP" <<< default sso-attribute in "RSSO" above is Class AVP next end
And then 'diag test app radiusd -1' reported:
Received radius accounting eventvd 0:root Add/Update auth logon for IP 10.10.10.1 for user usera DB 0 insert [ep='usera' pg='VIP' ip='10.10.10.1/32'] success
FGT# diag test application radiusd 3 RADIUS server database [vd root]: "index","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile" 1,07:36:49,"10.10.10.1""usera","allow","no log","VIP",1,No
And so, forwarding works. And if WLC would copy Access-Accept Class to Accounting-Request, it would work.
Or if we will find a way how to convince NPS to add AVPs to Accounting data, or originate it's own Accounting-Request Type=Start once it sends out Access-Accept. But that is most likely by design, as NPS is RADIUS server, while Accounting should be sent from NAS which is in this case your WLC.
It seems there is not much in Accounting handling on NPS. Latest MSFT doc I found .. https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-accounting-configure
Tried to google around, but haven't found much either.
If you have FortiAuthenticator (FAC), by any chance, then it seems to me solvable this way. Where FAC will acct as RSSO receiver / Collector, gather Accounting data from WLC and enhance those with group membership of the user (acquired from RADIUS User-Name in Accounting) from AD via LDAP(S), and then sending those complete SSO data to FGT.
Simple RSSO can be achieved by standalone Collector Agent, but so far it sort of refuses to resolve groups for me. Not quite sure if it's intended limitation or if I made a config mistake. Both possible.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.