RADIUS Accounting for Fortigate RSSO
Hello Community Members,
Does anybody know how I should configure RSA Authentication Manager for RADIUS accounting?
I use RSA tokens for dial-up VPN authentication. I managed to set up Fortigate VSA on RSA AM so it can give back "Fortinet-Group-Name" attribute defined in RADIUS profile to Fortigate. For this reason, authentication works as expected.
To be able to create user-based policies in firewall, I have to set up RADIUS Single Sign-On (RSSO). It means I have to use RADIUS accounting. I should get back "Class" or "Fortinet-Group-Name" attribute in accounting messages.
I am attaching a diagram how RSSO should work regarding Fortinet (Fortinet_RSSO.jpg). I also attaching some pcap files contains RADIUS accounting messages (RADIUS_acct_request.jpg; RADIUS_acct_response.jpg). As you can see, RADIUS accounting response message is an acknowledgement only.
Thanks and Best Regards,
RSA implements a limited version of the old Funk/Juniper Steel Belted RADIUS, so we do not do full RADIUS accounting but you can return group or attibute information to a RADIUS client in two ways;
- Map to AD group. Years ago Frank “the RADIUS guy” Miller mapped User attributes to AD groups. The problem was when RSA does the group lookup, it returned the first AD group found as the RADIUS attribute, which may be functionally useless, because you cannot require that an AD User only belong to a single group. Later versions of AM 7.1 may have simply returned all AD groups. Apparently some Cisco devices may have a way to parse through this group information, so this may work. KB 63481
- Frank then wrote a practical solution that will map a Radius Attribute to a value that equals the user’s Group (though not a dynamic link to an AD group through the Identity Source), and return it in a RADIUS Profile assigned to the RADIUS Client. In effect we are not mapping to Active Directory, we’re simply re-creating the groups we know exist there, and assigning bunches of users to those Profiles. This is done in order to return that group attribute to the Radius Client for every user that logins on the RADIUS Client. This example uses the existing Standard Radius attribute #25 called Class. See RADIUSProfileReturnsToUserGroup.docx. KB a63480 is the second method
Have a look at these and see what makes sense, and but if you know what information that you want RSA to return to Fortigate this is probably the best approach.