Hot!RSSO authentication

Author
Jirka
Gold Member
  • Total Posts : 124
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
2018/09/16 13:42:59 (permalink)
0

RSSO authentication

Hello everyone,

we have setup a basic wifi network (UniFi) which auth against a windows 2016R2 radius server
 All is working fine.
 The problem we are having is that the fortigate firewall is not seeing the usernames and therefore not pulling them into the correct rule set. Since users authenticate to WiFi using NPS on Win2016, FSSO does not detect them on FGT.
Is it possible to get FGT to detect which user is authenticated by the radius??
I tried this: https: //cookbook.fortinet.com/ssl-vpn-radius-authentication/ and unsuccessfully. But I do not know if it is right for this workaround.
 
Thank you.
 
Jirka
 
 
post edited by Jirka - 2018/09/16 13:47:23
#1

10 Replies Related Threads

    neonbit
    Expert Member
    • Total Posts : 515
    • Scores: 67
    • Reward points: 0
    • Joined: 2013/07/02 21:39:52
    • Location: Dark side of the moon
    • Status: offline
    Re: RSSO authentication 2018/09/16 20:29:18 (permalink)
    0
    The RSSO radius implementation would be different from the SSL VPN one.
     
    There's a document that goes through integrating with NPS and RSSO here: https://docs.fortinet.com/uploaded/files/2345/fortios-radius-single-sign-nps-523.pdf
     
    It's the older version of FortiOS but should still be good.
    #2
    xsilver_FTNT
    Expert Member
    • Total Posts : 430
    • Scores: 91
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: RSSO authentication 2018/09/17 00:24:28 (permalink)
    0
    Hi,
    if user logon do not create event on Windows AD, or is audit of such events is disabled, then FSSO will see nothing.
    So to make FSSO working make sure your DCs audit logon events (at least success logon).
     
    Alternative approaches are:
    - WSSO if FortiGate is the controller then it's able to remember logons
    - RSSO so make NPS to send RADIUS Accounting to FortiGate and setup RSSO agent and groups
     
    Choose one of those 3 methods. I would not suggest to combine those.

    Kind Regards,
    Tomas
    #3
    Jirka
    Gold Member
    • Total Posts : 124
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: RSSO authentication 2018/09/17 06:47:40 (permalink)
    0
    Hi Tomas,

    I tried to follow the recommendations of the "neonbit" user, unfortunately it does not work. 
    NPS on Win2016R2 is set according to the screenshot. Radius connection test is successful. User Authentication Not.
     
    FGT81-xxxxxx (radius) # show full-configuration 
    config user radius
        edit "RSSO Agent"
            set timeout 5
            set radius-coa disable
            set h3c-compatibility disable
            set username-case-sensitive disable
            set password-renewal disable
            set password-encoding auto
            set acct-all-servers disable
            set rsso enable
            set rsso-radius-server-port 1813
            set rsso-radius-response enable
            set rsso-validate-request-secret enable
            set rsso-secret ENC S6LV+Oa2bXI7dBOywvWPudKiGwjLeldiyg2F+RDcecYyBjwY37PRGr3Vd54TierR6QRiiv1SI//ZsiguS7fy8MVftt6wa/FC6ubmM6lfkg5mehZAhhVgXwoF6qO1e80srOIRTZ4SYwkzBJcEDr/bRT7MoSZ2roT9sBzbl/pH5SpsDHQhMqZhRLAaIGrPTvlnQ6q5Qw==
            set rsso-endpoint-attribute User-Name
            unset rsso-endpoint-block-attribute
            set sso-attribute Class
            set sso-attribute-key ''
            set sso-attribute-value-override enable
            set rsso-context-timeout 28800
            set rsso-log-period 0
            set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other
    --More-- set rsso-flush-ip-session disable
            set rsso-ep-one-ip-only disable
        next
        edit "RSSO-PDC"
            set server "172.28.0.2"
            set secret ENC zuxEeGMjKCmXCawpxSsYr0Bj2VZqt6V2z4p0enb2ZWkywD1HGw9mYTo5LbaoBU69R2LRreaFsfD+AmgRatUV3GLJqy3B8dG98gSqqMQr2dVoLDMhSQ1MOY03BaG1HKncvULLPHxHrxuvvEJUJgIziRzSFHf3jIBDqD7LH93NWDbBc+CGmC189MTqaK3WmGR8QcMlNw==
            set timeout 5
            set all-usergroup disable
            set use-management-vdom disable
            set nas-ip 0.0.0.0
            set acct-interim-interval 0
            set radius-coa disable
            set radius-port 0
            set h3c-compatibility disable
            set auth-type ms_chap_v2
            set source-ip ''
            set username-case-sensitive disable
            set password-renewal disable
            set password-encoding auto
            set acct-all-servers disable
            set rsso disable
            set secondary-server ''
    --More-- set secondary-secret ENC UNS8CrDt5nu6R/sl3hlzD8AtmR3cXmK4+J227CTfE+n391rr+7kIfU0C0Ilruu0hQMWtcFlqb+rHDgZq9nc+L6H6gh6MPZOqY0QrA4uz4Hfeu/ns3ql6BS/TNJ90qgZOwOr1/Czv+ZBdPj7cwVITf+qceCWKOfvNdT9ML4XC5mbMsVZ6mo0t2p3i42epi9QCOe7o/w==
            set tertiary-server ''
            set tertiary-secret ENC StUafpxxLJRs/bGUvcqvJKFZpvBHZhLHeDt1JPZLHEK5Ge84QBJ01ucugwHyOj432O6j295xw65OXf58y+7bNOi3zQCdW23AtFDVo4WAo5Wi3Rtc240R7+Wr0AB2qDOWZuStnpPpWZ1jn9oSurzY66DBkx3qiXK7Z017k3gj/WIMkaEKTgFfT7eQL4IAW6DXvHPnKA==
            config accounting-server
                edit 1
                    set status enable
                    set server "172.28.0.2"
                    set secret ENC WZ/ACTtaQEnzmTMj1CJWVMa6OKIM4MxCivB1BApM1r+9zZxuPxdz8HVKHn+tZpkIyVaGUoEnLaRhNxJ+PDq6rTxT3s1sRLy7XW2Ky3ZE61L6Ri/6RiGylrVzREn2+5LjAyk5urCuxurykVHqvQkuFI1WJ+RTecjWc7V2RL0F3qERTalnATCu+WAVPJ1JAmOc/HCt9Q==
                    set port 0
                    set source-ip ''
                next
            end
        next
    end
     
    FGT81-xxxxxx # diag test application radiusd 3
    No RADIUS server database [vd root]
     
     

     
     
    #4
    neonbit
    Expert Member
    • Total Posts : 515
    • Scores: 67
    • Reward points: 0
    • Joined: 2013/07/02 21:39:52
    • Location: Dark side of the moon
    • Status: offline
    Re: RSSO authentication 2018/09/17 08:02:08 (permalink)
    0
    Can you take a packet capture of RADIUS traffic from/to the FortiGate to the RADIUS server to see which RADIUS attributes are being sent to the FortiGate when a user logs in?
    #5
    Jirka
    Gold Member
    • Total Posts : 124
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: RSSO authentication 2018/09/17 09:58:40 (permalink)
    0
    Hi,

    now I do not have the opportunity to be on the site and capture the wireshark traffic. This is traffic generated by "Test User Credentials" in the FortiGate. But it will end up failing :(To be clear - I do not need to verify anything on FGT, I just need FGT to see the users logged through NPS. An audit on Win2016 is enabled and I see logs of all logins throught NPS.
     
    FGT81-xxxx# diag sniffer packet any 'port 1812 or 1813' 4 500 
    interfaces=[any]
    filters=[port 1812 or 1813]
    4.887916 VLAN28 out 172.28.0.1.10438 -> 172.28.0.2.1812: udp 67
    4.887933 port2 out 172.28.0.1.10438 -> 172.28.0.2.1812: udp 67
    4.890612 VLAN28 in 172.28.0.2.1812 -> 172.28.0.1.10438: udp 20
    5.604139 VLAN28 out 172.28.0.1.7897 -> 172.28.0.2.1812: udp 67
    5.604161 port2 out 172.28.0.1.7897 -> 172.28.0.2.1812: udp 67
    5.607070 VLAN28 in 172.28.0.2.1812 -> 172.28.0.1.7897: udp 20

     
     
     
    #6
    Jirka
    Gold Member
    • Total Posts : 124
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: RSSO authentication 2018/09/17 12:07:04 (permalink)
    0
    Okay.
    Everything I've now tried to set up again. Exactly according to these instructions: https://docs.fortinet.com/uploaded/files/2716/fortios-rsso-with-win-server-2012-and-nps.pdf.
    I'm intrigued by the "sso-attribute-key" parameter: Should not the "Attribute Information" value (I have "WiFiStudents" set on the NPS)? Tento paramatr
    I do not understand how to properly validate and debug it. When you enter the "diag firewall auth list" command, I see the FSSO login only in the list but I see users logged in to the NPS in the log .
     
    Thanks, Jirka
     

    FGT81-xxxxradius) # FGT81-xxxx (radius) # sh full-configuration
    config user radius
        edit "RSSO/Agent"
            set timeout 5
            set radius-coa disable
            set h3c-compatibility disable
            set username-case-sensitive disable
            set password-renewal disable
            set password-encoding auto
            set acct-all-servers disable
            set rsso enable
            set rsso-radius-server-port 1813
            set rsso-radius-response enable
            set rsso-validate-request-secret enable
            set rsso-secret ENC 7F2xgXUZhFZy8ftOdrMKUOcKM+PkpVtQKLOSq/Y+ZXhF/nxHxQ5vpPkWjSWCNjU1mYlmCE3wvq669m0CDRGXcjmI+LQJfFzgOSrLKp0Nj0JoWhYZx4exvHdTtPtGHnEEbP/J4IqEfmp9iy67Pa7DANPKqvHPVjUtLK/WJyVWHUhx3LAlabSCt4RLhCbPw8gOz2IM2g==
            set rsso-endpoint-attribute User-Name
            unset rsso-endpoint-block-attribute
            set sso-attribute Class
            set sso-attribute-key ''
            set sso-attribute-value-override enable
            set rsso-context-timeout 0
            set rsso-log-period 0
            set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other
            set rsso-flush-ip-session enable
            set rsso-ep-one-ip-only disable
        next
        edit "SX-PDC-NPS"
            set server "172.28.0.2"
            set secret ENC WU1zO9b7gBv1Eze7i4yArfwD4ftxVOHGmE2IDPnvu6IR9hDB7zkq65OggyATom2aiW4FxKDjyjtkF4UO9qGMX3Zs8cUe2xf4HFtv1IE+pUp5mxw+LKttk9yqJ9cykjS8WBHjr6wZJZzPf1/uS34UREpTaRJ1TCr7UZC0QF7pHuwnf5q1O1OGuLTY9L0QVx2DUpL4tA==
            set timeout 5
            set all-usergroup disable
            set use-management-vdom disable
            set nas-ip 0.0.0.0
            set acct-interim-interval 0
            set radius-coa disable
            set radius-port 0
            set h3c-compatibility disable
            set auth-type ms_chap_v2
            set source-ip "172.28.0.1"
            set username-case-sensitive disable
            set password-renewal disable
            set password-encoding auto
            set acct-all-servers disable
            set rsso disable
            set secondary-server ''
            set secondary-secret ENC bR2WvK3csvWyFKJZAtFqrJPkY82dSZveu3aKwh7Nsh+Cx912beeYtQdAS99e//f2XQOK9NYXYUySeT4TON0OX4IftCFCx9i96nObJltoP4vwSXf8V4adfQeKXeB+/kdKIXR9BaT1zPuevl/oBjU2E/IOJCm7F7Q1azYOAxwaQI13RsuUOPANCT8caPBXFA5YsvPzHQ==
            set tertiary-server ''
            set tertiary-secret ENC 3LzjxhujJf8LYeuATnavoiN6A6TVRuKoWuiqrTnL1tJt8/puONxO3Kjk03nPQyhGXSDc7ZVelmjLNBn4p6iCG/TjB862VUPC+6Mml+Er3wFW3TnNNk2BIRrhs4JwgN+nZV9NbnjetSmh/hy8aEShEND+hGd17c2xNAPNoJoktyKsiYiFpa9+ixWHlt3tAfKY3pR9QQ==
            config accounting-server
                edit 1
                    set status enable
                    set server "172.28.0.2"
                    set secret ENC EWEwH7IRfwfwMCL9A8cliDGKMD2ehapSNGu54tSz1wybLY3m0UwgToPXQdcrkrdqMKpF2ZFx0zWlT41mIDK1MTQmKodB/wLKJVa2WseOndKF6sIs3+olxn/Pes1HukiyRE5K/D3QGEnokcOSqBRqqWXAljiR81BmRR8qgqQv/vHtA38gu08ZF+IopJq127pjVcUj3w==
                    set port 0
                    set source-ip "172.28.0.1"
                next
            end
        next
    end
     
     
     
    edit "STUDENT-RSSO"
    set group-type rsso
    set authtimeout 0
    set sso-attribute-value "WiFiStudents"
    next
     


    #7
    Jirka
    Gold Member
    • Total Posts : 124
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: RSSO authentication 2018/09/20 16:13:55 (permalink)
    5 (1)
    ok, after a long fight and study I have made progress. I can already see FGT users authenticated by radius from NPS, but without a user group. Even though I have a group created and set correctly Class on Network Policy on NPS- see screenshot
     
    Received radius accounting eventvd 0:root Add/Update auth logon for IP 192.168.222.53 for user xxx.xxx
    DB 0 insert [ep='xxx.xxx' pg='˘l ' ip='192.168.222.53/32'] success
    Received radius accounting eventvd 0:root Add/Update auth logon for IP 192.168.222.53 for user xxx.xxx
    DB 0 insert [ep='xxx.xxx' pg='˘u ' ip='192.168.222.56/32'] success


    Does anyone know what can be wrong?
     
    Thank you!
    Jirka
    post edited by Jirka - 2018/09/20 16:16:58

    Attached Image(s)

    #8
    rafiki
    New Member
    • Total Posts : 7
    • Scores: 1
    • Reward points: 0
    • Joined: 2018/10/09 00:56:11
    • Status: offline
    Re: RSSO authentication 2019/02/22 05:36:47 (permalink)
    0
    sigmasoftcz
    ok, after a long fight and study I have made progress. I can already see FGT users authenticated by radius from NPS, but without a user group. Even though I have a group created and set correctly Class on Network Policy on NPS- see screenshot
     
    Received radius accounting eventvd 0:root Add/Update auth logon for IP 192.168.222.53 for user xxx.xxx
    DB 0 insert [ep='xxx.xxx' pg='˘l ' ip='192.168.222.53/32'] success
    Received radius accounting eventvd 0:root Add/Update auth logon for IP 192.168.222.53 for user xxx.xxx
    DB 0 insert [ep='xxx.xxx' pg='˘u ' ip='192.168.222.56/32'] success


    Does anyone know what can be wrong?
     
    Thank you!
    Jirka




    Hello Jirka
     
    Did you solve this?
     
    I am having the same problem, I can see Aruba's Radius users but not the groups they belong.
     
    Is it a sort of bug?
     
    Thank you
    Rafa
     
    config user radius
    edit "Clearpass"
    set rsso enable
    set rsso-endpoint-attribute User-Name
    set sso-attribute Filter-Id
    set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block
    next
    end
     
     
    #9
    Jirka
    Gold Member
    • Total Posts : 124
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: RSSO authentication 2019/02/22 05:50:52 (permalink)
    0
    Hi rafiki,


    yes, the problem was that I had to add an attribute named "Class" to the NPS and specify the exact name of the group that was created on FGT - see the screenshot.
    Jirka
     

    Attached Image(s)

    #10
    rafiki
    New Member
    • Total Posts : 7
    • Scores: 1
    • Reward points: 0
    • Joined: 2018/10/09 00:56:11
    • Status: offline
    Re: RSSO authentication 2019/02/25 01:15:42 (permalink)
    0
    Thanks Jirka,
     
    I have the same config as you, but the groups still missing. 
    I can see the usernames but not the groups. 
     
    Best regards
    Rafa
     
     
     
    #11
    Jump to:
    © 2019 APG vNext Commercial Version 5.5