Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II



Hello All, all I've an issue related to configuring third-party access point with radius server MS NPS, to authenticate through the FortiGate firewall by RSSO, I've followed all instructions and guides however, when I try to log in using the NT credentials the logs shows that the traffic is matching in the implicit deny policy and didn't match on RSSO user group policy however the same name is created on FortiGate user groups and on the NPS policy,

Does anyone know how to deal with this issue?



Who's the source of the RADIUS accounting packets, and who's the intended recipient?

It seems like it's one and the same FortiGate, which seem superfluous. (might as well just deal with authorization via simple RADIUS groups based on group memberships received in Access-Accept)


Apart from the above, check the auth table shortly after the user logs in (diag fire auth list), pay attention to whether the RSSO-type session is there at all, and which group it matched to, if any.

There's also live debug for RSSO, "diag debug app radiusd -1".

[ corrections always welcome ]

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors