Hot!How to set this up correctly. Fortigate, NPS and Cisco Wireless

Author
jamacouve
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/01/11 04:44:08
  • Status: offline
2017/08/29 05:48:31 (permalink)
0

How to set this up correctly. Fortigate, NPS and Cisco Wireless

Hi Guys,
 
So the above are the devices I need to set up. This was working before but some changes were made and I can't seem to get it right.
 
So the wireless device speaks to the Cisco AP who then speaks to the Cisco WLC. He has 802.1X configured and speaks to NPS to authenticate the user. This is working perfectly and the user can connect.
 
Now the part that I am struggling with... How do I set up RSSO on the Fortigate so I can see the users on the logs? I have tried doing some googling but alot of what I find is relating to FortiAP's and RSSO and its a bit different.
 
Any help will be greatly appreciated.
#1

9 Replies Related Threads

    bandersen_FTNT
    New Member
    • Total Posts : 19
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/01/21 10:29:00
    • Status: offline
    Re: How to set this up correctly. Fortigate, NPS and Cisco Wireless 2017/08/29 06:50:23 (permalink)
    0
    Hi
     
    in short:
    At the NPS you need to enable radius accounting to be sent to the FGT
    Also on NPS you need to add attribute of Class as this value is used by FGT to map users into RSSO groups
    Then enable radius-accounting listens on the FGT interface
    At FGT user & device:
    Create the RSSO single sign on, create the RSSO agent
    Create the user group definition to be RSSO group
    Edit you radius settings in CLI from FGT
    1.
    fw (RSSO Agent) # set rsso-endpoint-attribute User-Name
     
    Sorry, was a very version, let me know if this point into the right direction?
     
    /Brian
    #2
    xsilver_FTNT
    Expert Member
    • Total Posts : 368
    • Scores: 61
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: How to set this up correctly. Fortigate, NPS and Cisco Wireless 2017/08/29 07:56:21 (permalink)
    0
    in short follow the cookbook http://cookbook.fortinet.com/rsso-wifi-access-control/
    and from step "5. Configure the RADIUS server" on, set NPS to allow your AP (instead of FortiAP) to authenticate towards AD (probably done) and also send RADIUS accounting to FortiGate unit, whenever user authenticate via the policy.
    In step 8 and section "Select RADIUS Attributes" pay attention to the AVP sent from NPS to FortiGate with user group membership. As this AVP (by default 'Class' but configurable as CLI 'rsso-attribute') has to match to FortiGate's rsso-attribute, and it's value has to match to the FortiGate's group config of 'RADIUS Attribute Value' (CLI user group <X> / sso-attribute-value).
    post edited by xsilver_FTNT - 2017/08/29 07:58:29

    Kind Regards,
    Tomas
    #3
    jamacouve
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/11 04:44:08
    • Status: offline
    Re: How to set this up correctly. Fortigate, NPS and Cisco Wireless 2017/08/30 22:39:09 (permalink)
    0
    Thanks, man. So seems I just had to change one small thing. 
     
    I was sending accounting from the WLC directly to the Forti. Changed it to send accounting to NPS and NPS to Forti and this seemed to fix it.
    #4
    xsilver_FTNT
    Expert Member
    • Total Posts : 368
    • Scores: 61
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: How to set this up correctly. Fortigate, NPS and Cisco Wireless 2017/08/30 23:56:21 (permalink)
    0
    IF, there is anything else generating complete accounting-request (start/stop/interim), like WireLess Controller (WLC), then you can send those data to FortiGate (FGT) from such source directly.
    I usually do not tend to trust to NAS end points, so my approach is to generate accounting on the RADIUS server, on the server which did authentication and has idea about the user.
    But final design is up to you.
     
    The only things FGT needs in RSSO (complete accounting-request) are
    - username (endpoint)
    - Framed-IP-Address (to know authenticated source IP as at the end for firewall it is source traffic authentication)
    - and some group match attribute (sso-attribute and its value, by default Class AVP).
     
    If there is anything missing on RADIUS server, like Framed-IP-Address, which is granted by DHCP, requested by WLC, and assigned to user post-authentication, then RADIUS server (NPS) might not know the IP, and therefore it is better to send accounting from (hopefully secured & trusted) WLC who does have IP address from DHCP (as it has to assign IP during association between end station and SSID on some AP).
     
    There is multiple ways to design that whole SSO.

    Kind Regards,
    Tomas
    #5
    jamacouve
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/11 04:44:08
    • Status: offline
    Re: How to set this up correctly. Fortigate, NPS and Cisco Wireless 2018/03/09 06:00:34 (permalink)
    0
    Hi Guys,
     
    I'm back with this same issue.
     
    Previously I had all the gateways terminating on the core switch which had a default route up to the Fortigate.
     
    I have moved the L3 up to the Foritgate for more granular control but now the wireless accounting is not working. (If I specify the user group they do not get internet).
     
    What I am getting a bit confused with is which interface to send the accounting packets.
     
    1) The interface for wifi users
    2) the interface used for AP mgmt and how the wireless controller speaks to the ap
    3) The server interface which NPS is on 
     
    I hope this makes sense
    #6
    xsilver_FTNT
    Expert Member
    • Total Posts : 368
    • Scores: 61
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: How to set this up correctly. Fortigate, NPS and Cisco Wireless 2018/03/09 06:57:02 (permalink)
    0
    Not sure I got your current setup, but if you are sending RADIUS accounting from NPS to FGT to get RSSO done on FGT.
    Then you should have one interface through which you can get from FGT to NPS and back. Then on this interface 'set allowaccess' have to contain 'radius-acct' and so let incoming accounting packets in.
    + RSSO agent .. basically:
    config user radius
    edit RSSO
    set rsso enable
    end
    config user group
    edit "RSSO"
    set group-type rsso
    set sso-attribute-value "rsso-auth-group"
    next
    end
     
    That is very default and minimalist.
    And if RADIUS accounting arrives with Calling-Station-Id (as user identification) and Class (as group attribute which has to match to set "rsso-auth-group") then the user will be seen as member of the RSSO group.
     

    Kind Regards,
    Tomas
    #7
    jamacouve
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/11 04:44:08
    • Status: offline
    Re: How to set this up correctly. Fortigate, NPS and Cisco Wireless 2018/03/11 23:14:37 (permalink)
    0
    Thanks for the reply.
     
    Put this diagram together quickly to show you the physical layout.
     
    https://imgur.com/5rDSgQ9
    #8
    jamacouve
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/11 04:44:08
    • Status: offline
    Re: How to set this up correctly. Fortigate, NPS and Cisco Wireless 2018/03/12 23:07:09 (permalink)
    0
    Here is my config on the Forti:
    config user radius
    edit "RSSO_Agent"
    set rsso enable
    set rsso-radius-response enable
    set rsso-validate-request-secret enable
    set rsso-secret ENC BXiNG0vcXg2UeyOJNYXd1wOtB4nTooBXm8V5ZZEWPSEFWtSWGDCyEuFaKu02cW0IPL8sEqpE0ozoYC0VnDTwlrwhjNuCmdoP3cTrpsl+s4RE1erF7kfHjYeVARsynVT47bVwW3d6nkeLamk4lAmX+PjlocuSXxIPOsq9VsE3cVfTsigRBaJ/gXLwiLwbevv/elUPeA==
    set rsso-endpoint-attribute User-Name
    set rsso-endpoint-block-attribute Called-Station-Id
    set rsso-context-timeout 43200
    next
    end
     
    edit "RSSO_Wireless_Users"
    set group-type rsso
    set sso-attribute-value "Wireless_Users"
     
    edit 17
    set name "WIFI TO INTERNET"
    set uuid 445819c4-055d-51e5-bcc8-ffabc3471504
    set srcintf "Wireless-Segeme"
    set dstintf "wan1"
    set srcaddr "Wireless Segment"
    set dstaddr "all"
    set action accept
    set schedule "always"
    set service "ALL"
    set utm-status enable
    set logtraffic all
    set rsso enable
    set groups "RSSO_Wireless_Users"
    set comments "28th May 2015"
    set av-profile "default"
    set webfilter-profile "Corp"
    set dlp-sensor "Credit-Card"
    set ips-sensor "default"
    set application-list "Corp"
    set profile-protocol-options "default_Corp_sc"
    set ssl-ssh-profile "certificate-inspection"
    set traffic-shaper "Corp - Guaranteed"
    set traffic-shaper-reverse "Corp - Guaranteed"
    set nat enable
    #9
    jamacouve
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/11 04:44:08
    • Status: offline
    Re: How to set this up correctly. Fortigate, NPS and Cisco Wireless 2018/03/12 23:12:36 (permalink)
    0
    The users are authenticating so that section is fine.
     
    I have set up a remote radius group with the Fortigates Wireless LAN IP(172.16.44.1) and forwarding accounting to there
     
    #10
    Jump to:
    © 2018 APG vNext Commercial Version 5.5