Chapter 3 Authentication for FortiOS 5.0 : SSO using RADIUS accounting records : Example: webfiltering for student and teacher accounts
  
Example: webfiltering for student and teacher accounts
The following example uses RADIUS SSO to apply web filtering to students, but not to teachers. Assume that the RADIUS server is already configured to send RADIUS Start and Stop records to the FortiGate unit. There are two RADIUS user groups, students and teachers, recorded in the default attribute Class. The workstations are connected to port1, port2 connects to the RADIUS server, and port3 connects to the Internet.
Configure the student web filter profile
1. Go to Security Profiles > Web Filter > Profiles and select Create New.
2. Enter the following and select Apply.
Name
student
Inspection Mode
Proxy
FortiGuard Categories
Enable. Right-click the Potentially Liable category and select Block. Repeat for Adult/Mature Content and Security Risk.
Enable RADIUS access on the port2 interface
1. Go to System > Network > Interfaces and edit the port2 interface.
2. Select Listen for RADIUS Accounting Messages.
3. Select OK.
Create the RADIUS SSO agent
1. Go to User & Device > Authentication > Single Sign-On and select Create New.
2. In Type, select RADIUS Single-Sign-On.
3. Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.
4. Select Send RADIUS Responses.
5. Select OK.
The Single Sign-On agent is named RSSO_Agent.
Define local user groups associated with the RADIUS SSO user groups
1. Go to User & Device > User > User Groups and select Create New.
2. Enter the following and select OK.
Name
RSSO-students
Type
RADIUS Single Sign-On (RSSO)
RADIUS Attribute Value
students
3. Select Create New, enter the following and select OK.
Name
RSSO-teachers
Type
RADIUS Single Sign-On (RSSO)
RADIUS Attribute Value
teachers
Create a security policy for RSSO
1. Go to Policy > Policy > Policy and select Create New.
2. Enter
Policy Type
Firewall
Policy Subtype
User Identity
Incoming Interface
port1
Source Address
all
Outgoing Interface
port3
Enable NAT
Selected
3. In Configure Authentication Rules, select Create New and enter:
Destination Address
all
Group(s)
RSSO-students
Schedule
always
Service
HTTP, HTTPS
Action
ACCEPT
UTM Security Profiles
Enable AntiVirus, Web Filter, IPS.
In Web Filter, select the student profile.
4. Select OK.
5. In Configure Authentication Rules, select Create New and enter:
Destination Address
all
Group(s)
RSSO-teachers
Schedule
always
Service
ALL
Action
ACCEPT
UTM Security Profiles
Enable AntiVirus and IPS.
6. Select OK.
7. Select OK to save the policy.
8. Repeat steps 4 and 5 for each user group that is allowed to use this security policy. Schedule, Service, and UTM profiles can be different for each group.
9. Select OK.