Radius Single Sign On Rsso
Radius Single Sign On Rsso
Radius Single Sign On Rsso
When the user is connected to LAN and is successfully authenticated by Active Directory, DC’s security event
log can be polled for logon events and this information is sent to Fortigate to record the IP address, Username
and Group information associated to that event. Users may have a static IP or may have DHCP server
assigning the IP address. If this is a laptop, for example, most of the times authentication request are made
using the Ethernet interface (default setting). What happens when the user is disconnected from wired
connection? Fortigate does not know the IP address of the wireless interface on this laptop and now the user
is no longer authenticated to the firewall. User may have to sign out and sign back in to make the
authentication request via wireless IP.
This is where RSSO comes into picture. RSSO uses the wireless authentication(802.1x) request from the
Radius server authenticating that request via Radius Accounting. We will discuss more about this in a bit.
Typically, RSSO is solution when third party AP is used but that does not restrict the administrator from using
this solution with FortiAP.
AUTHENTICATION FLOW:
1. RSSO Accounting Listener which listens on port 1813 for accounting packets
2. Radius Accounting and Fortigate Radius Server
3. Configuring RSSO user group
4. Configuring WiFi SSID
5. Configuring NPS (Windows server 2019) for authentication and authorization
RSSO Accounting Listener which listens on port 1813 for accounting packets
1. Login to the Fortigate and Click on Security Fabric > Fabric Connectors > Create New and select “Radius
Single Sign-On Agent”
2. Enable “Use RADIUS Shared Secret” and provide the Shared Secret configured in the NPS
3. Enable “Send RADIUS Responses” and click on OK
4. Connect to the CLI and add the above show configuration to the “RSSO Agent”
Please note that the FortiAP uses the attribute “User-Name” to denote the user. Please refer to other
vendor’s documentation for corresponding attribute for this field in their accounting packets.
“rsso-context-timeout” can be used to clear authentication after ‘x’ number of seconds (when set to 0, it
never times out)
Radius Accounting and Fortigate Radius Server
1. Create radius server on the Fortigate and enable “Radius Accounting” on the interface connecting to
the NPS.
2. From the CLI, add the above show configuration to send accounting packets for any connection that
uses this server.
3. Accounting packets will now be sent to port 1813 of the radius server
1. From User & Device > User Group, Click Create New
2. Provide the name for the group and select “Radius Single Sign-On(RSSO)”
3. Enter the “Radius Attribute Value” for this group. This is the value which the NPS should send to Foritgate
(sent in HEX) and Fortigate will use this value to map the correct group and identity policy.
Configuring WiFi SSID
1. Click on WiFi & Switch Controller > SSID > Create New SSID
2. Provide name for the interface, IP/Netmask and enable DHCP Server
3. Enter the name for the SSID and select “WPA2 Enterprise”
4. Now for the authentication select “Radius Server” and choose the Radius server created earlier in this
article and click OK
Before proceeding with the NPS configuration, I would like to explain a bit about Protected EAP. Protected
EAP with MS-CHAPv2 is an EAP type which is more easily deployed with EAP-TLS or PEAP-TLS because user
authentication is accomplished by using password-based credentials (an AD Username and Password) instead
of digital certificates or smart cards. Only server running the NPS are required to have a certificate (we will
see this in the NPS configuration). Administrator can choose not to use “Server Validation “in the wireless
properties in the end-user’s pc, however that is not recommended. When “Server Validation” is enabled, NPS
will present its certificate to the client and the client after examining the certificate will have to Trust it. This
certificate used by NPS can be issued by a public CA or by the private trust root CA deployed in the network.
Configuring NPS (Windows server 2019) for authentication and authorization
Goal here is to authenticate user and return the correct attribute based on user group membership and
forward the Radius Accounting packets to Fortigate for RSSO.
1. Make sure the NPS service is started and registered to the Active Directory
2. Right-Click on “Radius Clients”, select New and populate the fields – Friendly Name, Address (Fortigate IP)
and shared secret which must match Fortigate Radius server/RSSO agent configuration
3. Right-Click “Remote RADIUS Server”, select “New”, enter the group name and click on “Add”
4. Use the IP Address of the Fortigate Interface that was configured to listed for “Radius Accounting” in the
previous step
5. Navigate to “Authentication/Accounting” tab:
a. Un-check “Use the same shared secret for the authentication and accounting”
b. Enter the shared secret configured on the forigate for the Radius server/Rsso Agent and click OK
Configuring Connection Request Policy
3. Click “Add” and select a condition. Adding “Client IPv4 Address” binds this connect policy to the network
policy in the next step. Provide the IP address of the Foritgate and Click ‘OK’ and “Add”
4. Next step in to Specify the Connection Request Forwarding. For Authentication, leave as default
(Authenticate requests on this server). Click Accounting and check “Forward accounting requests to this
remote RADIUS server group” and the select the remote radius server group created earlier. Click on
Next.
4. Leave Specify Access Permission to default (Access Granted) and click on Next
5. Next few steps are important because this is where the NPS certificate is linked. In the configure
Authentication Methods page-
a. Select Add and Click on Protect EAP ( PEAP)
b. Click on PEAP and click on Edit, select the certificate that the server should use to prove
its identity to the client.