Example: webfiltering for student and teacher accounts
The following example uses RADIUS SSO to apply web filtering to students, but not to teachers. Assume that the RADIUS server is already configured to send RADIUS Start and Stop records to the FortiGate unit. There are two RADIUS user groups, students and teachers, recorded in the default attribute Class. The workstations are connected to port1, port2 connects to the RADIUS server, and port3 connects to the Internet.
Configure the student web filter profile
1. Go to Security Profiles > Web Filter and select Create New (the “+” button).
2. Enter the following and select OK.
Name | student |
Inspection Mode | Proxy |
FortiGuard Categories | Enable. Right-click the Potentially Liable category and select Block. Repeat for Adult/Mature Content and Security Risk. |
Create the RADIUS SSO agent
1. Go to User & Device > Authentication > Single Sign-On and select Create New.
2. In Type, select RADIUS Single-Sign-On.
3. Select Use RADIUS Shared Secret and enter the RADIUS server shared secret.
4. Select Send RADIUS Responses.
5. Select OK.
The Single Sign-On agent is named RSSO_Agent.
Define local user groups associated with the RADIUS SSO user groups
1. Go to User & Device > User > User Groups and select Create New.
2. Enter the following and select OK.
Name | RSSO-students |
Type | RADIUS Single Sign-On (RSSO) |
RADIUS Attribute Value | students |
3. Select Create New, enter the following and select OK.
Name | RSSO-teachers |
Type | RADIUS Single Sign-On (RSSO) |
RADIUS Attribute Value | teachers |
Create a security policy for students
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Enter
Incoming Interface | port1 |
Source Address | all |
Source User(s) | RSSO-students |
Source Device Type | All |
Outgoing Interface | port3 |
Destination Address | all |
Schedule | always |
Service | HTTP, HTTPS |
Action | ACCEPT |
NAT | ON |
Security Profiles | Enable AntiVirus, Web Filter, IPS. In Web Filter, select the student profile. |
3. Select OK.
Create a security policy for teachers
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Enter
Incoming Interface | port1 |
Source Address | all |
Source User(s) | RSSO-teachers |
Source Device Type | All |
Outgoing Interface | port3 |
Destination Address | all |
Schedule | always |
Service | ALL |
Action | ACCEPT |
NAT | ON |
Security Profiles | Enable AntiVirus and IPS. |
3. Select OK.