Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RSSO authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RSSO authentication
Hello everyone, we have setup a basic wifi network (UniFi) which auth against a windows 2016R2 radius server
All is working fine.
The problem we are having is that the fortigate firewall is not seeing the usernames and therefore not pulling them into the correct rule set. Since users authenticate to WiFi using NPS on Win2016, FSSO does not detect them on FGT.
Is it possible to get FGT to detect which user is authenticated by the radius??
I tried this: https: //cookbook.fortinet.com/ssl-vpn-radius-authentication/ and unsuccessfully. But I do not know if it is right for this workaround.
Thank you.
Jirka
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rafiki,
yes, the problem was that I had to add an attribute named "Class" to the NPS and specify the exact name of the group that was created on FGT - see the screenshot.
Jirka
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The RSSO radius implementation would be different from the SSL VPN one.
There's a document that goes through integrating with NPS and RSSO here: https://docs.fortinet.com/uploaded/files/2345/fortios-radius-single-sign-nps-523.pdf
It's the older version of FortiOS but should still be good.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if user logon do not create event on Windows AD, or is audit of such events is disabled, then FSSO will see nothing. So to make FSSO working make sure your DCs audit logon events (at least success logon).
Alternative approaches are:
- WSSO if FortiGate is the controller then it's able to remember logons - RSSO so make NPS to send RADIUS Accounting to FortiGate and setup RSSO agent and groups
Choose one of those 3 methods. I would not suggest to combine those.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tomas, I tried to follow the recommendations of the "neonbit" user, unfortunately it does not work. NPS on Win2016R2 is set according to the screenshot. Radius connection test is successful. User Authentication Not.
FGT81-xxxxxx (radius) # show full-configuration
config user radius
edit "RSSO Agent"
set timeout 5
set radius-coa disable
set h3c-compatibility disable
set username-case-sensitive disable
set password-renewal disable
set password-encoding auto
set acct-all-servers disable
set rsso enable
set rsso-radius-server-port 1813
set rsso-radius-response enable
set rsso-validate-request-secret enable
set rsso-secret ENC S6LV+Oa2bXI7dBOywvWPudKiGwjLeldiyg2F+RDcecYyBjwY37PRGr3Vd54TierR6QRiiv1SI//ZsiguS7fy8MVftt6wa/FC6ubmM6lfkg5mehZAhhVgXwoF6qO1e80srOIRTZ4SYwkzBJcEDr/bRT7MoSZ2roT9sBzbl/pH5SpsDHQhMqZhRLAaIGrPTvlnQ6q5Qw==
set rsso-endpoint-attribute User-Name
unset rsso-endpoint-block-attribute
set sso-attribute Class
set sso-attribute-key ''
set sso-attribute-value-override enable
set rsso-context-timeout 28800
set rsso-log-period 0
set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other
--More-- set rsso-flush-ip-session disable
set rsso-ep-one-ip-only disable
next
edit "RSSO-PDC"
set server "172.28.0.2"
set secret ENC zuxEeGMjKCmXCawpxSsYr0Bj2VZqt6V2z4p0enb2ZWkywD1HGw9mYTo5LbaoBU69R2LRreaFsfD+AmgRatUV3GLJqy3B8dG98gSqqMQr2dVoLDMhSQ1MOY03BaG1HKncvULLPHxHrxuvvEJUJgIziRzSFHf3jIBDqD7LH93NWDbBc+CGmC189MTqaK3WmGR8QcMlNw==
set timeout 5
set all-usergroup disable
set use-management-vdom disable
set nas-ip 0.0.0.0
set acct-interim-interval 0
set radius-coa disable
set radius-port 0
set h3c-compatibility disable
set auth-type ms_chap_v2
set source-ip ''
set username-case-sensitive disable
set password-renewal disable
set password-encoding auto
set acct-all-servers disable
set rsso disable
set secondary-server ''
--More-- set secondary-secret ENC UNS8CrDt5nu6R/sl3hlzD8AtmR3cXmK4+J227CTfE+n391rr+7kIfU0C0Ilruu0hQMWtcFlqb+rHDgZq9nc+L6H6gh6MPZOqY0QrA4uz4Hfeu/ns3ql6BS/TNJ90qgZOwOr1/Czv+ZBdPj7cwVITf+qceCWKOfvNdT9ML4XC5mbMsVZ6mo0t2p3i42epi9QCOe7o/w==
set tertiary-server ''
set tertiary-secret ENC StUafpxxLJRs/bGUvcqvJKFZpvBHZhLHeDt1JPZLHEK5Ge84QBJ01ucugwHyOj432O6j295xw65OXf58y+7bNOi3zQCdW23AtFDVo4WAo5Wi3Rtc240R7+Wr0AB2qDOWZuStnpPpWZ1jn9oSurzY66DBkx3qiXK7Z017k3gj/WIMkaEKTgFfT7eQL4IAW6DXvHPnKA==
config accounting-server
edit 1
set status enable
set server "172.28.0.2"
set secret ENC WZ/ACTtaQEnzmTMj1CJWVMa6OKIM4MxCivB1BApM1r+9zZxuPxdz8HVKHn+tZpkIyVaGUoEnLaRhNxJ+PDq6rTxT3s1sRLy7XW2Ky3ZE61L6Ri/6RiGylrVzREn2+5LjAyk5urCuxurykVHqvQkuFI1WJ+RTecjWc7V2RL0F3qERTalnATCu+WAVPJ1JAmOc/HCt9Q==
set port 0
set source-ip ''
next
end
next
end
FGT81-xxxxxx # diag test application radiusd 3
No RADIUS server database [vd root]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you take a packet capture of RADIUS traffic from/to the FortiGate to the RADIUS server to see which RADIUS attributes are being sent to the FortiGate when a user logs in?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, now I do not have the opportunity to be on the site and capture the wireshark traffic. This is traffic generated by "Test User Credentials" in the FortiGate. But it will end up failing :(To be clear - I do not need to verify anything on FGT, I just need FGT to see the users logged through NPS. An audit on Win2016 is enabled and I see logs of all logins throught NPS.
FGT81-xxxx# diag sniffer packet any 'port 1812 or 1813' 4 500
interfaces=[any]
filters=[port 1812 or 1813]
4.887916 VLAN28 out 172.28.0.1.10438 -> 172.28.0.2.1812: udp 67
4.887933 port2 out 172.28.0.1.10438 -> 172.28.0.2.1812: udp 67
4.890612 VLAN28 in 172.28.0.2.1812 -> 172.28.0.1.10438: udp 20
5.604139 VLAN28 out 172.28.0.1.7897 -> 172.28.0.2.1812: udp 67
5.604161 port2 out 172.28.0.1.7897 -> 172.28.0.2.1812: udp 67
5.607070 VLAN28 in 172.28.0.2.1812 -> 172.28.0.1.7897: udp 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay. Everything I've now tried to set up again. Exactly according to these instructions: https://docs.fortinet.com/uploaded/files/2716/fortios-rsso-with-win-server-2012-and-nps.pdf.
I'm intrigued by the "sso-attribute-key" parameter: Should not the "Attribute Information" value (I have "WiFiStudents" set on the NPS)? Tento paramatr
I do not understand how to properly validate and debug it. When you enter the "diag firewall auth list" command, I see the FSSO login only in the list but I see users logged in to the NPS in the log .
Thanks, Jirka
FGT81-xxxxradius) # FGT81-xxxx (radius) # sh full-configuration
config user radius
edit "RSSO/Agent"
set timeout 5
set radius-coa disable
set h3c-compatibility disable
set username-case-sensitive disable
set password-renewal disable
set password-encoding auto
set acct-all-servers disable
set rsso enable
set rsso-radius-server-port 1813
set rsso-radius-response enable
set rsso-validate-request-secret enable
set rsso-secret ENC 7F2xgXUZhFZy8ftOdrMKUOcKM+PkpVtQKLOSq/Y+ZXhF/nxHxQ5vpPkWjSWCNjU1mYlmCE3wvq669m0CDRGXcjmI+LQJfFzgOSrLKp0Nj0JoWhYZx4exvHdTtPtGHnEEbP/J4IqEfmp9iy67Pa7DANPKqvHPVjUtLK/WJyVWHUhx3LAlabSCt4RLhCbPw8gOz2IM2g==
set rsso-endpoint-attribute User-Name
unset rsso-endpoint-block-attribute
set sso-attribute Class
set sso-attribute-key ''
set sso-attribute-value-override enable
set rsso-context-timeout 0
set rsso-log-period 0
set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other
set rsso-flush-ip-session enable
set rsso-ep-one-ip-only disable
next
edit "SX-PDC-NPS"
set server "172.28.0.2"
set secret ENC WU1zO9b7gBv1Eze7i4yArfwD4ftxVOHGmE2IDPnvu6IR9hDB7zkq65OggyATom2aiW4FxKDjyjtkF4UO9qGMX3Zs8cUe2xf4HFtv1IE+pUp5mxw+LKttk9yqJ9cykjS8WBHjr6wZJZzPf1/uS34UREpTaRJ1TCr7UZC0QF7pHuwnf5q1O1OGuLTY9L0QVx2DUpL4tA==
set timeout 5
set all-usergroup disable
set use-management-vdom disable
set nas-ip 0.0.0.0
set acct-interim-interval 0
set radius-coa disable
set radius-port 0
set h3c-compatibility disable
set auth-type ms_chap_v2
set source-ip "172.28.0.1"
set username-case-sensitive disable
set password-renewal disable
set password-encoding auto
set acct-all-servers disable
set rsso disable
set secondary-server ''
set secondary-secret ENC bR2WvK3csvWyFKJZAtFqrJPkY82dSZveu3aKwh7Nsh+Cx912beeYtQdAS99e//f2XQOK9NYXYUySeT4TON0OX4IftCFCx9i96nObJltoP4vwSXf8V4adfQeKXeB+/kdKIXR9BaT1zPuevl/oBjU2E/IOJCm7F7Q1azYOAxwaQI13RsuUOPANCT8caPBXFA5YsvPzHQ==
set tertiary-server ''
set tertiary-secret ENC 3LzjxhujJf8LYeuATnavoiN6A6TVRuKoWuiqrTnL1tJt8/puONxO3Kjk03nPQyhGXSDc7ZVelmjLNBn4p6iCG/TjB862VUPC+6Mml+Er3wFW3TnNNk2BIRrhs4JwgN+nZV9NbnjetSmh/hy8aEShEND+hGd17c2xNAPNoJoktyKsiYiFpa9+ixWHlt3tAfKY3pR9QQ==
config accounting-server
edit 1
set status enable
set server "172.28.0.2"
set secret ENC EWEwH7IRfwfwMCL9A8cliDGKMD2ehapSNGu54tSz1wybLY3m0UwgToPXQdcrkrdqMKpF2ZFx0zWlT41mIDK1MTQmKodB/wLKJVa2WseOndKF6sIs3+olxn/Pes1HukiyRE5K/D3QGEnokcOSqBRqqWXAljiR81BmRR8qgqQv/vHtA38gu08ZF+IopJq127pjVcUj3w==
set port 0
set source-ip "172.28.0.1"
next
end
next
end
edit "STUDENT-RSSO"
set group-type rsso
set authtimeout 0
set sso-attribute-value "WiFiStudents"
next
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, after a long fight and study I have made progress. I can already see FGT users authenticated by radius from NPS, but without a user group. Even though I have a group created and set correctly Class on Network Policy on NPS- see screenshot
Received radius accounting eventvd 0:root Add/Update auth logon for IP 192.168.222.53 for user xxx.xxx
DB 0 insert [ep='xxx.xxx' pg='˘l ' ip='192.168.222.53/32'] success
Received radius accounting eventvd 0:root Add/Update auth logon for IP 192.168.222.53 for user xxx.xxx
DB 0 insert [ep='xxx.xxx' pg='˘u ' ip='192.168.222.56/32'] success
Does anyone know what can be wrong?
Thank you!
Jirka
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sigmasoftcz wrote:ok, after a long fight and study I have made progress. I can already see FGT users authenticated by radius from NPS, but without a user group. Even though I have a group created and set correctly Class on Network Policy on NPS- see screenshot
Received radius accounting eventvd 0:root Add/Update auth logon for IP 192.168.222.53 for user xxx.xxx
DB 0 insert [ep='xxx.xxx' pg='˘l ' ip='192.168.222.53/32'] success
Received radius accounting eventvd 0:root Add/Update auth logon for IP 192.168.222.53 for user xxx.xxx
DB 0 insert [ep='xxx.xxx' pg='˘u ' ip='192.168.222.56/32'] successDoes anyone know what can be wrong?
Thank you!
Jirka
Hello Jirka
Did you solve this?
I am having the same problem, I can see Aruba's Radius users but not the groups they belong.
Is it a sort of bug?
Thank you
Rafa
config user radius edit "Clearpass" set rsso enable set rsso-endpoint-attribute User-Name set sso-attribute Filter-Id set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block next end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,731 -
FortiClient
1,772 -
5.2
801 -
FortiManager
734 -
5.4
639 -
FortiAnalyzer
562 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
248 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1731 | |
| 1099 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.