Hot!RSSO & NPS & Mikrotik

Author
Jirka
Gold Member
  • Total Posts : 192
  • Scores: 9
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
2021/05/10 11:21:06 (permalink)
0

RSSO & NPS & Mikrotik

Hello,
I have been solving the following problem with the RSSO agent for a long time...
Mikrotik CAPsman accesspoints connected to Win2016 NPS via radius and on NPS set acounting to FGT81F (6.4.5). But I am not able to see an authenticated user on the FGT. I use the same configuration for Ruckus and UniFi accesspoints and everything works great.

Radius server + agent cfg:
config user radius
    edit "RSSO Agent"
        set timeout 5
        set radius-coa disable
        set h3c-compatibility disable
        set username-case-sensitive disable
        unset group-override-attr-type
        set password-renewal enable
        set password-encoding auto
        set acct-all-servers disable
        set switch-controller-acct-fast-framedip-detect 2
        set interface-select-method auto
        unset switch-controller-service-type
        set rsso enable
        set rsso-radius-server-port 1813
        set rsso-radius-response enable
        set rsso-validate-request-secret enable
        set rsso-secret ENC BWVi8jiNSbWrnfQrsZJV/iwmTJSIoqVCWDBtG4brlDAlxt2+25NbNiYev+G8j7mIpOs8soiVxdry0rK3Dyy+EW04IEDjbg8cv7MO5hH+TiTTJ9T2dTg90Vm8b4OAN1vHGnrUOasd07PGT/yEOjilRttWmGWQRPc3CGT55EHhzmeKQGmSXdprOsy/2MTXH9e9EgYdkg==
        set rsso-endpoint-attribute User-Name
        unset rsso-endpoint-block-attribute
        set sso-attribute Class
        set sso-attribute-key ''
        set sso-attribute-value-override enable
        set rsso-context-timeout 28800
        set rsso-log-period 0
        set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other
        set rsso-flush-ip-session disable
        set rsso-ep-one-ip-only disable
    next
    edit "LACO-NPS"
        set server "192.168.77.58"
        set secret ENC y4JiUEHpvYZXATetvTqcEPOAmr+VO0WW9Klu0D/olfxwccW920psD1bj6JDpYyAWxR1MSl4yiYCvCggqTB1//vPLjQ5BlQ9DtCtvNm9TtPcI0ar7gzL1b8qECDQDbolHwOketay9/Ict3I8J3522o776NXo7Wu1V+JV/1gpDbsYNvcSrerBpdcmPKW8AjVm5t4BY+w==
        set timeout 5
        set all-usergroup disable
        set use-management-vdom disable
        set nas-ip 0.0.0.0
        set acct-interim-interval 0
        set radius-coa disable
        set radius-port 0
        set h3c-compatibility disable
        set auth-type ms_chap_v2
        set source-ip ''
        set username-case-sensitive disable
        unset group-override-attr-type
        set password-renewal enable
        set password-encoding auto
        set acct-all-servers disable
        set switch-controller-acct-fast-framedip-detect 2
        set interface-select-method auto
        unset switch-controller-service-type
        set rsso disable
        set secondary-server ''
        set secondary-secret ENC tul7D8V9m8GLwQ6qqwIn4I0fau8BeAu36JiSBk0k2SJc/myfkgVVofPSDaIKpnSMrPz2Iq7kkjG5GMo8HbpMWy38hm5LIK6yX+vfjBEPlxEr+0rPE2KbfVunAhqQ0sTdKZjT5Zh/men96y/UDgErYnUJWMXs+zPgtWCSyO8GUnBTT8+PZYZ56uNaPk4S3tNN69Ut9A==
        set tertiary-server ''
        set tertiary-secret ENC X789ohCg+TCVjCEWBQUk6ykImXYi9aQ2U+wGll27M8NiKu1sRfxiJx7JR5A7w02RcYNIaJpMU9OcJ1gYJJGw/gelqWlcQ7cYNKsi0SiCWXaP16J9c/w5ldlkqGeB2KdafBgivodw9juyQ2xzGO0+/9aXNTLBl8R6ZORHf3PnQZQKU03eeuIGJL7/0LbDxPEvnoqcBw==
    next
end


accounting enabled on the interface

config system interface
    edit "77-xxxxx"
        set vdom "root"
        set ip 192.168.77.1 255.255.255.0
        set allowaccess ping https ssh radius-acct
        set alias "xxxxxxx"
        set device-identification enable
        set role lan
        set snmp-index 29
        set color 15
        set interface "fortilink"
        set vlanid 77
    next
end


group created

edit "xxxxxWiFi"
        set group-type rsso
        set authtimeout 0
        set sso-attribute-value "WiFi"
    next
end


if I look at the packets coming on the FGT I see that the data in the User-Name attribute is missing in the AVP Class. 

Frame 56: 239 bytes on wire (1912 bits), 239 bytes captured (1912 bits)
Ethernet II, Src: VMware_74:40:f5 (00:0c:29:74:40:f5), Dst: Fortinet_2e:25:66 (d4:76:a0:2e:25:66)
Internet Protocol Version 4, Src: 192.168.77.58, Dst: 192.168.77.1
User Datagram Protocol, Src Port: 60238, Dst Port: 1813
RADIUS Protocol
Code: Accounting-Request (4)
Packet identifier: 0x2 (2)
Length: 197
Authenticator: 17c7ebc18c10b58f8f233a07ed4d7a7c
[The response to this request is in frame 57]
Attribute Value Pairs
AVP: t=Service-Type(6) l=6 val=Framed(2)
AVP: t=NAS-Port-Id(87) l=8 val=cap413
AVP: t=NAS-Port-Type(61) l=6 val=Wireless-802.11(19)
AVP: t=User-Name(1) l=2 val=
AVP: t=Class(25) l=7 val=5a65627261
AVP: t=Class(25) l=46 val=667c04ff0000013700010200c0a84d3a00000000000000000000000001d74008712ffe00…
AVP: t=Acct-Session-Id(44) l=10 val=820003c7
AVP: t=Calling-Station-Id(31) l=19 val=6A-3D-89-BF-1B-C3
AVP: t=Called-Station-Id(30) l=28 val=48-8F-5A-29-41-90:CORP_5G
AVP: t=Acct-Authentic(45) l=6 val=RADIUS(1)
AVP: t=Acct-Status-Type(40) l=6 val=Start(1)
AVP: t=NAS-Identifier(32) l=11 val=
AVP: t=Acct-Delay-Time(41) l=6 val=0
AVP: t=NAS-IP-Address(4) l=6 val=192.168.100.2
AVP: t=Proxy-State(33) l=10 val=c0a84d3a00000008


However, with the same NPS settings and using Ruckus or UniFi, this attribute is filled in correctly.
Of course, I tried to play with Vendor Attributes on NPS, but I think that if Mikrotik-> NPS authentication works correctly, all AVPs must be passed to FGT, right?

Thank you for your help.
Jirka
#1

0 Replies Related Threads

    Jump to:
    © 2021 APG vNext Commercial Version 5.5