Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Keeper_of_the_Keys
New Contributor III

Created on ‎05-07-2021 03:39 AM

Using RSSO usernames in policies

Hi everyone,

 

At the moment I'm trying to get RSSO working, we have MS NPS so no passing groups to the firewall :\ but based on running auth list the fortinet does "know" who the user is connected to an IP address.

 

firewall-01 # diagnose firewall auth list

 

x.x.x.x, user@domain.com     type: rsso, id: 0, duration: 801, idled: 801     flag(10): radius     server: root     packets: in 0 out 0, bytes: in 0 out 0

 

My problem is translating this into something I can use in policies, I tried creating RADIUS users and adding them to policies however this does not work, I tried using an LDAP group containing the same usernames that the fortinet "sees" through RSSO but this also did not work every time I try to generate traffic that would trigger this policy I end up on a fortinet captive portal page where I need to login again.

 

What am I missing?

 

Thanks!

3833
0 Kudos
4 REPLIES 4
Keeper_of_the_Keys
New Contributor III

Created on ‎05-08-2021 11:02 AM

Technical detail I left out:

- We're trying this with FortiOS 7 (it's a new location so while the place is in "beta" we can also try stuff)

 

2798
0 Kudos
Keeper_of_the_Keys
New Contributor III
In response to Keeper_of_the_Keys

Created on ‎05-11-2021 09:44 AM

Bump? No-one here uses RSSO?

2798
0 Kudos
Keeper_of_the_Keys
New Contributor III
In response to Keeper_of_the_Keys

Created on ‎05-11-2021 10:15 AM

Based on the updated docs for 7.0.0 it seems to me that RSSO only allows the creation of "groups" based on the presence of an attribute in the RADIUS accounting package which can then be used in policies while it is not actually possible to directly do anything with the usernames learnt through RSSO.

 

Given that not all radius servers seem to allow adding properties like group membership to the accounting packages being forwarded this would seem to be a missing feature.

 

https://docs.fortinet.com...s-single-sign-on-agent

2798
0 Kudos
Keeper_of_the_Keys
New Contributor III
In response to Keeper_of_the_Keys

Created on ‎07-26-2021 02:23 PM

Just a minor update - based on our contact with Fortinet support it seems that indeed it is not possible to use the username that was learned through RSSO at this time.

 

I hope that maybe they'll add this feature at some point in the future.

2798
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.