Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fabio
Contributor

WiFi with WSSO using Windows NPS and user groups

Hello Guys,

I deployed two SSID in  WPA2 Enterprise architecture with authentication on Windows Radius ( NPS ) as the link below and everything works ( https://docs.fortinet.com/document/fortiap/6.4.0/fortiwifi-and-fortiap-cookbook/414919/wifi-with-wss...

To differentiate groups on Windows AD I followed this guide ( https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/710485/restricting-radius-us... )

Radius wifi user 2.jpg


The FW sees the connected users as Wifi Single-Sign On  Radius wifi user 1.jpg


is it possible to group some account in different firewall policies ?

I have tried creating Radius type users on the FGT but it does not work.

Do you know if there is a way?

 

 

Thank you very much

 

Fabio
Fabio
1 Solution
pminarik

(sorry about the late reply)

Not exactly.

With WSSO, the matched string sent from NPS is compared to the name of the group in your FortiGate (what you have in "RADIUS_WiFi_???"), and the group must be completely empty in the config. (no reference to any RADIUS server)

 

WSSO does not use the "Remote server" + "group name" options.

 

WSSO group matching logicWSSO group matching logic

 

[ corrections always welcome ]

View solution in original post

7 REPLIES 7
pminarik
Staff
Staff

Hi Fabio,

 

Can you please clarify what you mean by "grouping accounts"? I'm not too sure what you mean by that. An example of what you're trying to achieve would help.

 

As for targetting individual users (re: "I have tried creating Radius type users"), please note that WSSO-style authentication only works with groups. It is not possible for it to target individual users. (unless you specifically create "personal groups" for users and advertise those in the Fortinet-Group-Name VSA sent by the NPS)

[ corrections always welcome ]
Fabio
Contributor

Hi pminarik,

In the group that I entered for authentication under the SSID and which calls up through the Fortinet-Group-Name VSA parameter the specific group in Windows Ad, there are all the accounts in the company, both managers and workers.
I would like to treat the two groups under different firewall policy in order to assign them specific permissions.

I didn't know it only works with groups, okay, but what kind of type group should it be ? Radius, ldap, local.. Should I indicate the path where the Group is located in the Active Directory ? 

Radius wifi user 3.jpg

Fabio
Fabio
pminarik

Hi Fabio,

WSSO groups are handled in an unusual way - you simply need an empty firewall-type group which does not link to or reference anything. The matching will be done purely based on the exact name of the group (must match the Fortinet-Group-Name string received).

 

Here's an old but good article which describes it - https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/640488/wifi-with-wsso-using-windows-nps-...

The group creation in FortiOS is described in step 5.

[ corrections always welcome ]
Fabio
Contributor

Maybe I understand.

I have to create two group that mapping two group in Windows AD tagged with VSA parameter ad hoc and this two fortinet group empty in two different firewall policy . Is it correct ?

Like this but X 2

Radius wifi user 2.jpg

Radius wifi user 4.jpg

where the tag NTL match the same in the FW group; one for Manager and another for WORK .

Both inside the SSID and then in the policy

Fabio
Fabio
pminarik

(sorry about the late reply)

Not exactly.

With WSSO, the matched string sent from NPS is compared to the name of the group in your FortiGate (what you have in "RADIUS_WiFi_???"), and the group must be completely empty in the config. (no reference to any RADIUS server)

 

WSSO does not use the "Remote server" + "group name" options.

 

WSSO group matching logicWSSO group matching logic

 

[ corrections always welcome ]
Fabio
Contributor

YES WORKS :)

in the SSID only the RADIUS and in the User Groups only the name that match the VSA parameter in Windows NPS, as the guide ..

( Here's an old but good article which describes it - https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/640488/wifi-with-wsso-using-windows-nps-...

The group creation in FortiOS is described in step 5. )

Of course in the NPS you have to create two or more Network Policy to match the Groups you want set in differents Firewall policy in FGT.

 

Thank you so Much

 

Fabio

Fabio
Fabio
Fabio
Contributor

Radius wifi user 5.jpgthis is the two user in different groups in windows AD

Fabio
Fabio
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors