Selecting which RADIUS attributes are used for RSSO
For RADIUS SSO to work, FortiOS needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group. There are default RADIUS attributes where FortiOS expects this information, but you can change these attributes in the config user radius CLI command.
Table 24: RSSO information and RADIUS attribute defaults
RSSO Information | RADIUS Attribute | CLI field |
Endpoint identifier | Calling-Station-ID | rsso-endpoint-attribute |
Endpoint block attribute | Called-Station-ID | rsso-endpoint-block-attribute |
User group | Class | sso-attribute |
The Endpoint block attribute can be used to block a user. If the attribute value is “Block”, FortiOS blocks all traffic from that user’s IP address. The RSSO fields are visible only when rsso is set to enable.