AnsweredAssumed Answered

RADIUS Accounting for Fortigate RSSO

Question asked by Krisztian Horvath on Jul 27, 2016
Latest reply on Jul 27, 2016 by Jay Guillette

Hello Community Members,

 

Does anybody know how I should configure RSA Authentication Manager for RADIUS accounting?

 

I use RSA tokens for dial-up VPN authentication. I managed to set up Fortigate VSA on RSA AM so it can give back "Fortinet-Group-Name" attribute defined in RADIUS profile to Fortigate. For this reason, authentication works as expected.

 

To be able to create user-based policies in firewall, I have to set up RADIUS Single Sign-On (RSSO). It means I have to use RADIUS accounting. I should get back "Class" or "Fortinet-Group-Name" attribute in accounting messages.

 

I am attaching a diagram how RSSO should work regarding Fortinet (Fortinet_RSSO.jpg). I also attaching some pcap files contains RADIUS accounting messages (RADIUS_acct_request.jpg; RADIUS_acct_response.jpg). As you can see, RADIUS accounting response message is an acknowledgement only.

 

Thanks and Best Regards,

Chris

Outcomes