Example: webfiltering for student and teacher accounts
The following example uses RADIUS SSO to apply web filtering to students, but not to teachers. Assume that the RADIUS server is already configured to send RADIUS Start and Stop records to the FortiGate unit. There are two RADIUS user groups, students and teachers, recorded in the default attribute Class. The workstations are connected to port1, port2 connects to the RADIUS server, and port3 connects to the Internet.
Configure the student web filter profile
1. Go to Security Profiles > Web Filter > Profiles and select Create New.
2. Enter the following and select Apply.
Name | student |
Inspection Mode | Proxy |
FortiGuard Categories | Enable. Right-click the Potentially Liable category and select Block. Repeat for Adult/Mature Content and Security Risk. |
Enable RADIUS access on the port2 interface
1. Go to System > Network > Interfaces and edit the port2 interface.
2. Select Listen for RADIUS Accounting Messages.
3. Select OK.
Create the RADIUS SSO agent
1. Go to User & Device > Authentication > Single Sign-On and select Create New.
2. In Type, select RADIUS Single-Sign-On.
3. Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.
4. Select Send RADIUS Responses.
5. Select OK.
The Single Sign-On agent is named RSSO_Agent.
Define local user groups associated with the RADIUS SSO user groups
1. Go to User & Device > User > User Groups and select Create New.
2. Enter the following and select OK.
Name | RSSO-students |
Type | RADIUS Single Sign-On (RSSO) |
RADIUS Attribute Value | students |
3. Select Create New, enter the following and select OK.
Name | RSSO-teachers |
Type | RADIUS Single Sign-On (RSSO) |
RADIUS Attribute Value | teachers |
Create a security policy for RSSO
1. Go to Policy > Policy > Policy and select Create New.
2. Enter
Policy Type | Firewall |
Policy Subtype | User Identity |
Incoming Interface | port1 |
Source Address | all |
Outgoing Interface | port3 |
Enable NAT | Selected |
3. In Configure Authentication Rules, select Create New and enter:
Destination Address | all |
Group(s) | RSSO-students |
Schedule | always |
Service | HTTP, HTTPS |
Action | ACCEPT |
UTM Security Profiles | Enable AntiVirus, Web Filter, IPS. In Web Filter, select the student profile. |
4. Select OK.
5. In Configure Authentication Rules, select Create New and enter:
Destination Address | all |
Group(s) | RSSO-teachers |
Schedule | always |
Service | ALL |
Action | ACCEPT |
UTM Security Profiles | Enable AntiVirus and IPS. |
6. Select OK.
7. Select OK to save the policy.
8. Repeat steps
4 and
5 for each user group that is allowed to use this security policy. Schedule, Service, and UTM profiles can be different for each group.
9. Select OK.