Creating security policies
RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple policies if user groups can have different UTM features enabled, different permitted services, schedules, and so on.
To create a security policy for RSSO - web-based manager
1. Go to Policy & Objects > Policy > IPv4.
2. Select Create New.
3. Enter the following information.
Incoming Interface | as needed |
Source Address | as needed |
Source User(s) | Select the user groups you created for RSSO. See “Defining local user groups for RADIUS SSO”. |
Outgoing Interface | as needed |
Destination Address | all |
Schedule | as needed |
Service | as needed |
Action | ACCEPT |
Enable NAT | Selected |
Security Profiles | Select security profiles appropriate for the user group. |
4. Select OK.
To ensure an RSSO-related policy is matched first, the policy should be placed higher in the security policy list than more general policies for the same interfaces.
5. Select OK.
To create a security policy for RSSO - CLI
In this example, an internal network to Internet policy enables web access for members of a student group and activates the appropriate UTM profiles.
config firewall policy
edit 0
set srcintf internal
set dstintf wan1
set srcaddr all
set dstaddr "all"
set action accept
set rsso enable
set groups "RSSO-student"
set schedule always
set service HTTP HTTPS
set nat enable
set utm-status enable
set av-profile students
set webfilter-profile students
set spamfilter-profile students
set dlp-sensor default
set ips-sensor default
set application-list students
set profile-protocol-options "default"
end