Hello,
I have been solving the following problem with the RSSO agent for a long time... Mikrotik CAPsman accesspoints connected to Win2016 NPS via radius and on NPS set acounting to FGT81F (6.4.5). But I am not able to see an authenticated user on the FGT. I use the same configuration for Ruckus and UniFi accesspoints and everything works great. Radius server + agent cfg:
config user radiusaccounting enabled on the interface
edit "RSSO Agent"
set timeout 5
set radius-coa disable
set h3c-compatibility disable
set username-case-sensitive disable
unset group-override-attr-type
set password-renewal enable
set password-encoding auto
set acct-all-servers disable
set switch-controller-acct-fast-framedip-detect 2
set interface-select-method auto
unset switch-controller-service-type
set rsso enable
set rsso-radius-server-port 1813
set rsso-radius-response enable
set rsso-validate-request-secret enable
set rsso-secret ENC BWVi8jiNSbWrnfQrsZJV/iwmTJSIoqVCWDBtG4brlDAlxt2+25NbNiYev+G8j7mIpOs8soiVxdry0rK3Dyy+EW04IEDjbg8cv7MO5hH+TiTTJ9T2dTg90Vm8b4OAN1vHGnrUOasd07PGT/yEOjilRttWmGWQRPc3CGT55EHhzmeKQGmSXdprOsy/2MTXH9e9EgYdkg==
set rsso-endpoint-attribute User-Name
unset rsso-endpoint-block-attribute
set sso-attribute Class
set sso-attribute-key ''
set sso-attribute-value-override enable
set rsso-context-timeout 28800
set rsso-log-period 0
set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other
set rsso-flush-ip-session disable
set rsso-ep-one-ip-only disable
next
edit "LACO-NPS"
set server "192.168.77.58"
set secret ENC y4JiUEHpvYZXATetvTqcEPOAmr+VO0WW9Klu0D/olfxwccW920psD1bj6JDpYyAWxR1MSl4yiYCvCggqTB1//vPLjQ5BlQ9DtCtvNm9TtPcI0ar7gzL1b8qECDQDbolHwOketay9/Ict3I8J3522o776NXo7Wu1V+JV/1gpDbsYNvcSrerBpdcmPKW8AjVm5t4BY+w==
set timeout 5
set all-usergroup disable
set use-management-vdom disable
set nas-ip 0.0.0.0
set acct-interim-interval 0
set radius-coa disable
set radius-port 0
set h3c-compatibility disable
set auth-type ms_chap_v2
set source-ip ''
set username-case-sensitive disable
unset group-override-attr-type
set password-renewal enable
set password-encoding auto
set acct-all-servers disable
set switch-controller-acct-fast-framedip-detect 2
set interface-select-method auto
unset switch-controller-service-type
set rsso disable
set secondary-server ''
set secondary-secret ENC tul7D8V9m8GLwQ6qqwIn4I0fau8BeAu36JiSBk0k2SJc/myfkgVVofPSDaIKpnSMrPz2Iq7kkjG5GMo8HbpMWy38hm5LIK6yX+vfjBEPlxEr+0rPE2KbfVunAhqQ0sTdKZjT5Zh/men96y/UDgErYnUJWMXs+zPgtWCSyO8GUnBTT8+PZYZ56uNaPk4S3tNN69Ut9A==
set tertiary-server ''
set tertiary-secret ENC X789ohCg+TCVjCEWBQUk6ykImXYi9aQ2U+wGll27M8NiKu1sRfxiJx7JR5A7w02RcYNIaJpMU9OcJ1gYJJGw/gelqWlcQ7cYNKsi0SiCWXaP16J9c/w5ldlkqGeB2KdafBgivodw9juyQ2xzGO0+/9aXNTLBl8R6ZORHf3PnQZQKU03eeuIGJL7/0LbDxPEvnoqcBw==
next
end
config system interfacegroup created
edit "77-xxxxx"
set vdom "root"
set ip 192.168.77.1 255.255.255.0
set allowaccess ping https ssh radius-acct
set alias "xxxxxxx"
set device-identification enable
set role lan
set snmp-index 29
set color 15
set interface "fortilink"
set vlanid 77
next
end
edit "xxxxxWiFi"if I look at the packets coming on the FGT I see that the data in the User-Name attribute is missing in the AVP Class.
set group-type rsso
set authtimeout 0
set sso-attribute-value "WiFi"
next
end
Frame 56: 239 bytes on wire (1912 bits), 239 bytes captured (1912 bits)
Ethernet II, Src: VMware_74:40:f5 (00:0c:29:74:40:f5), Dst: Fortinet_2e:25:66 (d4:76:a0:2e:25:66)
Internet Protocol Version 4, Src: 192.168.77.58, Dst: 192.168.77.1
User Datagram Protocol, Src Port: 60238, Dst Port: 1813
RADIUS Protocol
Code: Accounting-Request (4)
Packet identifier: 0x2 (2)
Length: 197
Authenticator: 17c7ebc18c10b58f8f233a07ed4d7a7c
[The response to this request is in frame 57]
Attribute Value Pairs
AVP: t=Service-Type(6) l=6 val=Framed(2)
AVP: t=NAS-Port-Id(87) l=8 val=cap413
AVP: t=NAS-Port-Type(61) l=6 val=Wireless-802.11(19)
AVP: t=User-Name(1) l=2 val=
AVP: t=Class(25) l=7 val=5a65627261
AVP: t=Class(25) l=46 val=667c04ff0000013700010200c0a84d3a00000000000000000000000001d74008712ffe00…
AVP: t=Acct-Session-Id(44) l=10 val=820003c7
AVP: t=Calling-Station-Id(31) l=19 val=6A-3D-89-BF-1B-C3
AVP: t=Called-Station-Id(30) l=28 val=48-8F-5A-29-41-90:CORP_5G
AVP: t=Acct-Authentic(45) l=6 val=RADIUS(1)
AVP: t=Acct-Status-Type(40) l=6 val=Start(1)
AVP: t=NAS-Identifier(32) l=11 val=
AVP: t=Acct-Delay-Time(41) l=6 val=0
AVP: t=NAS-IP-Address(4) l=6 val=192.168.100.2
AVP: t=Proxy-State(33) l=10 val=c0a84d3a00000008
However, with the same NPS settings and using Ruckus or UniFi, this attribute is filled in correctly.
Of course, I tried to play with Vendor Attributes on NPS, but I think that if Mikrotik-> NPS authentication works correctly, all AVPs must be passed to FGT, right?
Thank you for your help.
Jirka
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.