Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jirka1
Contributor III

RSSO authentication

Hello everyone, we have setup a basic wifi network (UniFi) which auth against a windows 2016R2 radius server

 All is working fine.

 The problem we are having is that the fortigate firewall is not seeing the usernames and therefore not pulling them into the correct rule set. Since users authenticate to WiFi using NPS on Win2016, FSSO does not detect them on FGT.

Is it possible to get FGT to detect which user is authenticated by the radius??

I tried this: https: //cookbook.fortinet.com/ssl-vpn-radius-authentication/ and unsuccessfully. But I do not know if it is right for this workaround.

 

Thank you.

 

Jirka

 

 

1 Solution
Jirka1
Contributor III

Hi rafiki,

yes, the problem was that I had to add an attribute named "Class" to the NPS and specify the exact name of the group that was created on FGT - see the screenshot.

Jirka

 

View solution in original post

16 REPLIES 16
rafiki
New Contributor

Thanks Jirka,

 

I have the same config as you, but the groups still missing. 

I can see the usernames but not the groups. 

 

Best regards

Rafa

 

 

 

Rene_Jorissen

I have the same error. Anyone solved this issue??

 

It looks like the group isn't filled.

Received radius accounting eventMissing profile name.vd 0:root Add/Update auth logon for IP 10.10.3.150 for user ipad3
DB 0 insert [ep='ipad3' pg='n/a' ip='10.10.3.150/32'] success

This is the RSSO config on the FortiGate

show user radius
    edit "RSSO-AGENT"
        set rsso enable
        set rsso-radius-response enable
        set rsso-validate-request-secret enable
        set rsso-secret ENC LLwWF4BlsG4HzddgwwyhBUlb48tnyUWmpoRpPCFBx7covE9rileu+w2eZmVj2NEkF6+ztzbJpjLGAbNfWNevIcayEmuq4CKpgQiCD/ZMi3pgov4EXWsEIr6w89fphYc4veTWqWJwVMScPlMNlGvBS8eob1vJ1RlsLbWlSEn/3htCcYfxxOD+kbP1t6e5fAbzWDI3tw==
        set rsso-endpoint-attribute User-Name
        set sso-attribute Filter-Id
    next
end
    edit "wireless-rsso"
        set group-type rsso
        set sso-attribute-value "wireless-rsso"
    next
    edit "wired-rsso"
        set group-type rsso
        set sso-attribute-value "rsso-wireless"
    next
end

The RADIUS account messages can be found in the attachment. I am using Aruba ClearPass as RADIUS server.

 

rafiki

Set Value = name of the Group used in the Forti policies.

wireless-rsso

Rene_Jorissen

rafiki wrote:

Set Value = name of the Group used in the Forti policies.

wireless-rsso

Been there, done that. I did some more troubleshooting and made a packet capture on the CPPM. It looks like the Filter-Id isn't send by ClearPass to the FortiGate. I created a TAC case to check the CPPM. I have done the config on another CPPM / FortiGate and there it works flawlessly.

Bennoide

Hi Rene,

 

May you please advise what other change you did to resolve the ClearPass to FortiGate group membership issues

Rene_Jorissen

Hello Bennoide,

 

My problem was the "battery" service on ClearPass. This service is responsible for things like CoA and accounting. The service was corrupted and had to be reinitialized by TAC. After this it worked instantaneously.

 

 

owla
New Contributor

 We had an issue , we didn't see just "User Group" names. We downgraded firmware (to 6.2.2)  and RSSO was fine, after upgraded back (to 6.2.3) we still had successfully detected RSSO User groups.  Now we are using 6.2.4 - RSSO works fine.

Labels
Top Kudoed Authors