RADIUS accounting proxy
The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server, transforms them, and then forwards them to multiple FortiGate or FortiMail devices for use in RADIUS Single Sign-On. This differs from the packet use of RADIUS accounting (RADIUS accounting).
The accounting proxy needs to know:
- Rule sets to define or derive the RADIUS attributes that the FortiGate unit requires,
- The source of the RADIUS accounting records: the RADIUS server,
- The destination(s) of the accounting records: the FortiGate units using this information for RADIUS SSO authentication.
General settings
General RADIUS accounting proxy settings can be configure by going to Fortinet SSO Methods > Accounting Proxy > General.
The following settings are available:
Select OK to apply your changes.
Rule sets
A rule set can contain multiple rules. Each rule can do one of:
- add an attribute with a fixed value
- add an attribute retrieved from a user’s record on an LDAP server
- rename an attribute to make it acceptable to the accounting proxy destination.
The FortiAuthenticator unit can store up to 10 rule sets. You can provide both a name and a description to each rule set to help you remember each rule set’s purpose.
Rules access RADIUS attributes of which there are both standard attributes and vendor-specific attributes (VSAs). To select a standard attribute, select the Default vendor. See RADIUS Attributes.
To view the accounting proxy rule set list, go to Fortinet SSO Methods > Accounting Proxy > Rule Sets.
To add RADIUS accounting proxy rule sets:
- From the rule set list, select Create New. The Create New Rule Set window opens.
- Enter the following information:
- Add: add either a static value or a value derived from an LDAP server.
- Modify: rename an attribute.
- Static value: adds the attribute in the Attribute field containing the static value in the Value field.
- Group names: adds attribute in the Attribute field containing "Group names" from the group membership of the Username Attribute on the remote LDAP server.
- Services: adds attribute in the Attribute field containing "Services" from the group membership of the Username Attribute on the remote LDAP server.
- UTM profile groups: adds attribute in the Attribute field containing "UTM profile groups" from the group membership of the Username Attribute on the remote LDAP server.
- Select OK to create the new rule set.
Name | Enter a name to use when selecting this rule set for an accounting proxy destination. | |
Description | Optionally, enter a brief description of the rule’s purpose. | |
Rules | Enter one or more rules. | |
Action | The action for each rule can be either Add or Modify. |
|
Attribute | Select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box. | |
Attribute 2 | If the action is set to Modify, a second attribute may be selected. The first attribute will be renamed to the second attribute. | |
Value Type | If the action is set to Add, select a value type from the dropdown menu. |
|
Value | If the action is set to Add and Value Type is set to Static value, enter the static value. | |
Username Attribute | If the action is set to Add, and Value Type is not set to Static value, specify an attribute that provides the user’s name, or select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box. | |
Remote LDAP | If the attribute addition requires an LDAP server, select one from the dropdown menu. See LDAP on page 1 for information on remote LDAP servers. | |
Description | A brief description of the rule is provided. | |
Add another rule | Select to add another rule to the rule set. |
Example rule set
The incoming accounting packets contain the following fields:
- User-Name
- NAS-IP-Address
- Fortinet-Client-IP-Address
The outgoing accounting packets need to have these fields:
- User-Name
- NAS-IP-Address
- Fortinet-Client-IP-Address
- Session-Timeout: Value is always 3600
- Fortinet-Group-Name: Value is obtained from user's group membership on remote LDAP
- Service-Type: Value is obtained from user's group membership and SSO Group Mapping
The rule set needs three rules to add Session-Timeout, Fortinet-Group-Name, and Service-Type. The following image provides an example:
Sources
The RADIUS accounting proxy sources list can be viewed in Fortinet SSO Methods > Accounting Proxy > Sources. Sources can be added, edited, and deleted as needed.
To add a RADIUS accounting proxy source:
- From the source list, select Create New. The Create New RADIUS Accounting Proxy Source window opens.
- Enter the following information:
- Select OK to add the RADIUS accounting proxy source.
Destinations
The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users. When defining the destination, you also specify the source of the records (a RADIUS client already defined as a source) and the rule set to apply to the records.
To view the RADIUS accounting proxy destinations list, go to Fortinet SSO Methods > Accounting Proxy > Destinations.
To add a RADIUS accounting proxy destinations:
- From the destinations list, select Create New. The Create New RADIUS Accounting Proxy Destination window opens.
- Enter the following information:
- Select OK to add the RADIUS accounting proxy destination.
Name | Enter a name to identify the destination device in your configuration. |
Destination name/IP | Enter The FQDN or IP address of the FortiGate that will receive the RADIUS accounting records. |
Secret | Enter the preshared key of the destination. |
Source | Select a RADIUS client defined as a source from the dropdown menu. See Sources. |
Rule set | Select an appropriate rule set from the dropdown menu or select Create New to create a new rule set. See Rule sets. |