Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Bennoide
New Contributor

RSSO from clearpass to Fortigate firewall

Hi Everyone,

 

I have a client who has Aruba wireless solution, we have configured ClearPass to send radius accounting to the Fortigate firewall for BYOD wireless users and i do see the radius info on the firewall (user wireless username and IP address). However the users does not match any of the RSSO firewall groups i have created.

 

Herewith the config:

 

    edit "RSSO_Agent_CPPM"         set timeout 5         set radius-coa disable         set h3c-compatibility disable         set username-case-sensitive disable         set password-renewal disable         set password-encoding auto         set rsso enable         set rsso-radius-server-port 1813         set rsso-radius-response enable         set rsso-validate-request-secret enable         set rsso-secret ENC 3NiaXtXYFFMccGnSky0v0BS9dbwputkWWIz4yNvMQ/MdOtpZ0hSv8Dpwx5pMs/pBtltGOA5VJL79wtaHU0TvzYHT1PDk9fDqMlHIcgstlVnoJGvkle+HKA6Pnuv5upMT6i3U/KEDMGPlBiYqp0BypUOIiB6tZsfQ/33ZDCTtw5YnkbKB8kQnKvcETyEwoXkM1CmRWQ==         set rsso-endpoint-attribute User-Name         unset rsso-endpoint-block-attribute         set sso-attribute Filter-Id         set sso-attribute-key ''         set sso-attribute-value-override enable         set rsso-context-timeout 28800         set rsso-log-period 0         set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other         set rsso-flush-ip-session disable         set rsso-ep-one-ip-only disable     next end config user group     edit "RSSO-SG-FG-AdvancedAuthenticated" <---         set group-type rsso         set authtimeout 0         set sso-attribute-value "SG-FG-ADVANCEDAUTHENTICATED"     next     edit "RSSO-SG-FG-ExcoAuthenticated" <---         set group-type rsso         set authtimeout 0         set sso-attribute-value "SG-FG-EXCOAUTHENTICATED"     next end

1 REPLY 1
owla
New Contributor

Did you check "Firewall User Monitor" ?  You should see for users  under "Method" - "Radius Single-Sign-On" and important to see under "User Group" the names of your Radius groups.    We had an issue , we didn't see just "User Group" names. We downgraded firmware (to 6.2.2)  and RSSO was fine, after upgraded back (to 6.2.3) we still had successfully detected RSSO User groups.  Now we are using 6.2.4 - RSSO works fine.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors