Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daniel_goymer
New Contributor

RSSO using NPS

Hello

 

I'm trying to setup RSSO using an NPS server. Our Wireless AP's are already working and authenticating successfully. We want to ensure users on the wireless network do not need to authenticate to browse the Internet. (We already use FSSO for domain joined machines).

 

I've setup the accounting settings and verified the Fortigate and NPS server are communicating. The issue I have is with NPS accounting and Classes.

 

Our Network Policy dictates what uses are able to connect to the wireless network, though from what I can tell the Class needs to be sent for the Connection Request Policies. In NPS the Connection Request Policies do not all you to pick user groups.

 

Has anyone successfully used NPS to authenticate different user groups and therefore ensure different user policies are enabled for Internet browsing based on the user group?

 

Is this a limitation of NPS that cannot be overcome and we should therefore use FortiAuthenticator or some other Radius server?

 

Thank you in advance for any help.

 

Regards

Daniel

2 REPLIES 2
Jeff_FTNT
Staff
Staff

NPS server can not send RADIUS Accounting packet to device which did not send out "Access-Request".For RSSO, you may need find RADIUS server can send Accounting to any device, thanks.

Jim_FH
New Contributor III

Hi Daniel:

 

I'm looking into doing this same thing, I think.  Our NPS servers authenticate (or not) users via a "Network Policy" based on membership of an AD group when asked by our Wireless Controller, which then sends the accounting info to the RSSO agent on the Fortigate with the RADIUS class "unrestricted" (which is how we were directed to configure it by Fortitac).

 

It seems to work fine, but like you, we are restricted to one RSSO fortigate policy, and not able to put different users in different groups for different Web Filtering profiles, etc.

 

I haven't tested yet, but I'm going try creating another "Network Policy" with a different RADIUS class value (other than 'unrestricted'), and then create another RSSO single-sign on users that references that other RADIUS class, and see where that gets me.

 

Not really an answer to your question, but maybe you've tried this and have some tips.

 

-James

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors