Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RodrigoAndrade
New Contributor

Created on ‎07-24-2023 01:29 PM

FortiAuthenticator RSSO with 802.1x and FortiGate

Regards,

I'm trying to create user authentication using the wired network. At the moment, I can get a person to connect to my switch and receive a box to authenticate themselves, and depending on their user group, they will enter VLAN X or VLAN Y. This is working.

My major issue is passing this information from FortiAuthenticator to FortiGate. Does anyone have any suggestions? I tried to do it through the Radius Accounting Proxy, but since I can't use the FAC as the source, I'm not succeeding (I'm trying using the Switch IP as the Source, and enabling accounting proxy at the switch, and FGT as the destination to my accounting proxy destination)

When I sniff on FortiGate at port 1813, I don't see anything besides the Switch sending the accounting to the FAC, so my problem is between FAC and FGT.

687
0 Kudos
4 REPLIES 4
Markus_M
Staff
Staff

Created on ‎07-25-2023 12:07 AM

Hi Rodrigo,

 

if you have a FortiGate then I would suggest using RSSO on FortiAuthenticator and FSSO on the FortiGate. The FortiAuthenticator can "translate" RSSO to FSSO. It reads RSSO with the respective values to create user and IP info and forwards this to FortiGate via regular FSSO.

https://community.fortinet.com/t5/FortiAuthenticator/Solution-Guide-Fortinet-Solutions-RSSO-RADIUS-S...

 

Best regards,

 

Markus

660
RodrigoAndrade
New Contributor
In response to Markus_M

Created on ‎07-26-2023 12:50 PM

Hello Markus,

Thanks for taking your time to reply!

I've seen this before, but in this case, it's using another Radius Server to authenticate the user and then, the FAC can accouting proxy this information by setting the Radius Server IP as the Proxy Source. In my case, I can't have this Radius Server, because the user authentication it's already be done by the FortiAuthenticator.

628
0 Kudos
Markus_M
Staff
Staff
In response to RodrigoAndrade

Created on ‎07-27-2023 05:02 AM

Hi Rodrigo,

 

Sorry I don't follow. Are you using FortiAuthenticator or another server for authentication?

In case of another server, you can send accounting to the FAC and FortiAuthenticator can do this as FSSO.

In case of FAC you have to see whether the RADIUS client can do likewise and send accounting to FortiAuthenticator for FSSO. FAC itself does not do accounting to itself. It can do a dirty trick and send syslog messages to 127.0.0.1 and evaluate these as FSSO though.

 

Best regards,

 

Markus

 

613
0 Kudos
ebilcari
Staff
Staff
In response to RodrigoAndrade

Created on ‎07-30-2023 08:30 AM

The RADIUS Authentication and Accounting will not interfere, it can be on same or in different servers. You just have to configure the Switch (NAS) to send accounting directly to FAC. On FAC you have to create a client entry for this switch with a source IP, the shared secret and select the attributes you want to extract:

sso acc.PNG

and check if the SSO session is created with Source Radius Accounting:

accounting.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
544
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.