Hello Community Members,
Does anybody know how I should configure RSA Authentication Manager for RADIUS accounting?
I use RSA tokens for dial-up VPN authentication. I managed to set up Fortigate VSA on RSA AM so it can give back "Fortinet-Group-Name" attribute defined in RADIUS profile to Fortigate. For this reason, authentication works as expected.
To be able to create user-based policies in firewall, I have to set up RADIUS Single Sign-On (RSSO). It means I have to use RADIUS accounting. I should get back "Class" or "Fortinet-Group-Name" attribute in accounting messages.
I am attaching a diagram how RSSO should work regarding Fortinet (Fortinet_RSSO.jpg). I also attaching some pcap files contains RADIUS accounting messages (RADIUS_acct_request.jpg; RADIUS_acct_response.jpg). As you can see, RADIUS accounting response message is an acknowledgement only.
Thanks and Best Regards,
Chris
Krisztian,
RSA implements a limited version of the old Funk/Juniper Steel Belted RADIUS, so we do not do full RADIUS accounting but you can return group or attibute information to a RADIUS client in two ways;
Have a look at these and see what makes sense, and but if you know what information that you want RSA to return to Fortigate this is probably the best approach.
Regards,