tag:blogger.com,1999:blog-5485513671985093591.post1794853850460382477..comments2022-07-16T02:55:03.697-04:00Comments on Technical: 2.2 Networking series - Fortigate RSSOsashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-5485513671985093591.post-47407444139311544062014-10-01T05:20:18.574-04:002014-10-01T05:20:18.574-04:00How did you get on with this?How did you get on with this?Anonymoushttps://www.blogger.com/profile/05166171750235230263noreply@blogger.comtag:blogger.com,1999:blog-5485513671985093591.post-68106003224627880662013-08-22T07:00:43.509-04:002013-08-22T07:00:43.509-04:00Thank you, for your reply.
In fact was I am planni...Thank you, for your reply.<br />In fact was I am planning, is to use RSSO together with the 802.1x port authentication so when people authenticate with my radius I am able, via the accounting message, to tell fortigate who are my groups (via the class attribute) and then subsequently write policy on based on RSSO authenticated group.Leonardohttps://www.blogger.com/profile/15371639287396573851noreply@blogger.comtag:blogger.com,1999:blog-5485513671985093591.post-73757798656113961642013-08-21T21:55:02.295-04:002013-08-21T21:55:02.295-04:00You are partially correct. If you plan to use RSSO...You are partially correct. If you plan to use RSSO as the only authentication method you do need to set the rsso-endpoint-attribute to IP address. <br />Note: As far as I have been told 6 months ago by Fortinet support, there are no plans to implement MAC address based flow control for firewall or any other related component. <br />In our case, we were interested in a combination of FSSO and RSSO for quota management only. At that stage Fortinet support said that we have to change the rsso-endpoint-attribute to User-Name. This gave us a proper and clean RSSO table with all logged in users. However, I do not remember the exact format of that table(if IP's where there or not). I will need to run a test and see. <br />In general, I find that RSSO is not well understood by the support team at Fortinet so I can share only the info I have and hope that it will help someone. sashkashurikhttps://www.blogger.com/profile/04594731381634427632noreply@blogger.comtag:blogger.com,1999:blog-5485513671985093591.post-54462231290273264042013-08-21T12:28:40.120-04:002013-08-21T12:28:40.120-04:00If you are right how is the Fortigate able, once a...If you are right how is the Fortigate able, once a packet flow, to correlate that particular packet with the class attribute in the accounting message it received previously from my Radius?<br /><br />Does it have a sort algorithmic intelligence to discern between various fields in the ip packet? <br /><br />L.<br />Leonardohttps://www.blogger.com/profile/15371639287396573851noreply@blogger.comtag:blogger.com,1999:blog-5485513671985093591.post-46960896176698923192013-08-19T20:42:34.528-04:002013-08-19T20:42:34.528-04:00At the time I have tested the system(a few revisio...At the time I have tested the system(a few revision ago), Fortigate did not care about the content of the rsso-endpoint-attribute. As far as I can tell, it simply does a string match. Therefore, IP or MAC does not matter. I have tested both MAC and IP and as far as the RSSO user table goes both have worked. <br />That being said, I have never tested this setup in a full blown working environment.sashkashurikhttps://www.blogger.com/profile/04594731381634427632noreply@blogger.comtag:blogger.com,1999:blog-5485513671985093591.post-46099759496864774072013-08-19T13:47:11.447-04:002013-08-19T13:47:11.447-04:00Hi,
just a simple question:
the rsso-endpoint-at...Hi,<br />just a simple question: <br /><br />the rsso-endpoint-attribute, according to the guide should be an IP Address, by default it points to calling-station-id which in my case (MS-RADIUS) is the MAC address of the calling station.<br /><br />Is my setup still working or I need to put in place something to retrieve the IP Address from the client, for instance Framed-IP-Address by setting this on my fortigate:<br /><br />set rsso-endpoint-attribute Framed-IP_Adress<br /><br />Best L.<br /><br />Leonardohttps://www.blogger.com/profile/15371639287396573851noreply@blogger.comtag:blogger.com,1999:blog-5485513671985093591.post-55871584649602747712013-08-03T22:16:03.298-04:002013-08-03T22:16:03.298-04:00Hi,
My Radius implementation (Aerohive) the same ...Hi,<br /><br />My Radius implementation (Aerohive) the same as the one from MS do send IPs and are IP aware. I have sniffed the ports or Fortigate and have confirmed that the acc. packet contains the IPs. Similarly, the log on Fortigate was showing the IPs and the MACs properly.<br /><br />Finally, note that Fortigate has confirmed a successful implementation of pure Radius authentication with MS Radius.sashkashurikhttps://www.blogger.com/profile/04594731381634427632noreply@blogger.comtag:blogger.com,1999:blog-5485513671985093591.post-32338252618981226512013-07-25T11:42:07.612-04:002013-07-25T11:42:07.612-04:00Hi,
I have been playing with getting RRSO to wor...Hi, <br /><br />I have been playing with getting RRSO to work for wireless clients, and I believe I understand why it doesn't work at the moment. From the documentation itself:-<br /><br />For RADIUS SSO to work, FortiOS needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where FortiOS expects this information, but you can change these attributes in the config user radius CLI command. <br /><br />The problem here is that RADIUS is not used to assign an IP address, only to authenticate the user to access the network. While you can change the RADIUS attribute used to resolve the IP, its no help because the IP is assigned by DHCP, which RADIUS has no visibility of. This results in the error:-<br /><br />RADIUS protocol error: parse error: Carrier Endpoint<br /><br />Looking at the RADIUS messages , the client IP is never included in them at all. <br /><br />It would only work in scenarios where RADIUS was being used to assign an IP address, such as PPP requests. <br /><br />I can make a guess as to what the single use scenario this was designed for. A large ISP in the UK will be using Fortigate for filtering their DSL users. This would be useful for them, as the PPP connection request could them be resolved to an IP and they can apply filtering based on DSL username. This becomes even more likely based on the recent UK legislation on "opt-in" to adult content. <br /><br />The only way this could work for wireless as far as I can see would be to use RADIUS to obtain the client MAC address and then use the DHCP database to resolve this to an IP, this would require the Fortigate to be the DHCP server, or use the local ARP table to resolve MAC's to IP's. <br /><br />Hope this makes sense. <br /><br /><br /> Anonymoushttps://www.blogger.com/profile/07183394301110066888noreply@blogger.comtag:blogger.com,1999:blog-5485513671985093591.post-55221576179485731502013-03-27T17:30:02.063-04:002013-03-27T17:30:02.063-04:00Short answer: NO
Long answer: We where able to con...Short answer: NO<br />Long answer: We where able to configure our Fortigate unit so that it can receive and properly interpret the records sent by our Radius server. However, authentication and everything related with it never worked and never will(at least for us with the current design). As I have mentioned in my previous posts, RSSO is not compatible with FSSO.<br /><br />However, it depends on what you are trying to do. Can you give me more info?sashkashurikhttps://www.blogger.com/profile/04594731381634427632noreply@blogger.comtag:blogger.com,1999:blog-5485513671985093591.post-22250073104519089182013-03-27T13:19:43.496-04:002013-03-27T13:19:43.496-04:00Were you able to make use of the RSSO feature at a...Were you able to make use of the RSSO feature at all? My organization just paid for an 8 hour block of Fortinet Professional Services to setup RSSO. They haven't been able to get it to function.Anonymousnoreply@blogger.com