Hello everyone, we have setup a basic wifi network (UniFi) which auth against a windows 2016R2 radius server
All is working fine.
The problem we are having is that the fortigate firewall is not seeing the usernames and therefore not pulling them into the correct rule set. Since users authenticate to WiFi using NPS on Win2016, FSSO does not detect them on FGT.
Is it possible to get FGT to detect which user is authenticated by the radius??
I tried this: https: //cookbook.fortinet.com/ssl-vpn-radius-authentication/ and unsuccessfully. But I do not know if it is right for this workaround.
Thank you.
Jirka
Solved! Go to Solution.
Hi rafiki,
yes, the problem was that I had to add an attribute named "Class" to the NPS and specify the exact name of the group that was created on FGT - see the screenshot.
Jirka
Thanks Jirka,
I have the same config as you, but the groups still missing.
I can see the usernames but not the groups.
Best regards
Rafa
I have the same error. Anyone solved this issue??
It looks like the group isn't filled.
Received radius accounting eventMissing profile name.vd 0:root Add/Update auth logon for IP 10.10.3.150 for user ipad3
DB 0 insert [ep='ipad3' pg='n/a' ip='10.10.3.150/32'] success
This is the RSSO config on the FortiGate
show user radius
edit "RSSO-AGENT"
set rsso enable
set rsso-radius-response enable
set rsso-validate-request-secret enable
set rsso-secret ENC LLwWF4BlsG4HzddgwwyhBUlb48tnyUWmpoRpPCFBx7covE9rileu+w2eZmVj2NEkF6+ztzbJpjLGAbNfWNevIcayEmuq4CKpgQiCD/ZMi3pgov4EXWsEIr6w89fphYc4veTWqWJwVMScPlMNlGvBS8eob1vJ1RlsLbWlSEn/3htCcYfxxOD+kbP1t6e5fAbzWDI3tw==
set rsso-endpoint-attribute User-Name
set sso-attribute Filter-Id
next
end
edit "wireless-rsso"
set group-type rsso
set sso-attribute-value "wireless-rsso"
next
edit "wired-rsso"
set group-type rsso
set sso-attribute-value "rsso-wireless"
next
end
The RADIUS account messages can be found in the attachment. I am using Aruba ClearPass as RADIUS server.
rafiki wrote:Been there, done that. I did some more troubleshooting and made a packet capture on the CPPM. It looks like the Filter-Id isn't send by ClearPass to the FortiGate. I created a TAC case to check the CPPM. I have done the config on another CPPM / FortiGate and there it works flawlessly.Set Value = name of the Group used in the Forti policies.
wireless-rsso
Hi Rene,
May you please advise what other change you did to resolve the ClearPass to FortiGate group membership issues
Hello Bennoide,
My problem was the "battery" service on ClearPass. This service is responsible for things like CoA and accounting. The service was corrupted and had to be reinitialized by TAC. After this it worked instantaneously.
We had an issue , we didn't see just "User Group" names. We downgraded firmware (to 6.2.2) and RSSO was fine, after upgraded back (to 6.2.3) we still had successfully detected RSSO User groups. Now we are using 6.2.4 - RSSO works fine.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.