Is RSSO authentication really unreliable?
I have my NPS sending radius accounting packets to a monitored port but am getting very intermittent authentication.
Is there somewhere I should be looking?
Ta!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
once properly set it is usually pretty reliable.
However, by default RADIUS Accounting Requests are just sent and answer (and so confirmation) is optional AFAIK and even when sent by recipient it might not make sender (NPS in your case) to re-send/repeat request.
Therefore I would state the RSSO as reliable as underlying network is.
If there is any insecure network on the way, or something dropping packets, then chance is that your RADIUS Accounting request has been dropped as well.
So, use out of band, network to deliver those accounting data.
Or use NAS as source and not NPS (RADIUS Server) as NAS (WLC for example) is expected to be closer to FortiGate (probably on same site, while NPS is on HQ site).
Troubleshoot .. it's by default pretty plain-text protocol, so "diag sniff packet any 'port 1813' 6 0 a" is just one of the possibilities. Plus Wireshark on NPS .. and so you should see if packet was actually sent, and if it was also received.
And more importantly what was inside.
If it was sent to FGT, then 'diag test application radiusd' is your helper. Verbosity 0 will show you options. Most useful is 3 and 33.
Then 'diag debug application radiusd -1' will show you real time what's happened to received data.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.