FortiConnect Guest on-boarding using RSSO



This recipe describes the usage of RADIUS-Single-Sign-On (RSSO), using Fortigate (used as firewall), FortiConnect (used for guest portal and RADIUS authentication) and FortiWLC (used for providing wireless access). The goal is to map Captive Portal users to user groups on the Fortigate, and apply security policies based on these user groups.

Authentication Flow:

  1. User authenticates to WLC via a security profile, where a RADIUS authentication is established (802.1x / Captive Portal)
  2. WLC validates user credentials at RADIUS server.
  3. RADIUS servers authenticates user for access and sends access-accept back to WLC to allow connection (including class attribute)
  4. WLC allows device/user to establish wireless connection.
  5. WLC sends accounting packets to RADIUS server.
  6. RADIUS server proxies those accounting packets and forwards it to the FortiGate.
  7. FortiGate registers user and maps the user to an RSSO-user group.

1. Registering the WLC as a RADIUS client on the  FortiConnect

Login to the admin page of your FortiConnect.

Go to Devices > RADIUS clients and add your WLC as a RADIUS client.

Name: Name of your WLC
Device IP: IP address of your WLC.
Secret: Choose a Shared Secret between FortiConnect and WLC)
Type: Meru SD 8.0 & Later

Go to the Automatic Setup tab and fill in the information needed for the FortiConnect to perform WLC configuration.

Device IP: IP address of your WLC
Admin user: admin username at WLC
Admin password: password of the WLC admin user
Captive Portal Name: Name that will be used to create/name the Captive Portal Profile at WLC.

This will create a RADIUS profile, a captive portal profile, and a Quality of Service (QoS) rule to allow access to the guest portal on the WLC.

The QoS rule is similar to a firewall rule, to allow the wireless device to be redirected to FortiConnect Captive Portal before the user or device is authenticated.

Click Setup Controller and FortiConnect will establish a SSH connection to the WLC.

It might take a minute or two for the actual configuration to finish.

When done you should see a message similar to this one.

2. Registering the FortiGate as a RADIUS Accounting Server on the FortiConnect

Go to Devices > RADIUS Accounting Servers
and add your FortiGate a RADIUS Accounting server.

Name: Name your FortiGate
Server IP: IP address of your FortiGate (matching the interface that will listen to the RADIUS Accounting messages)
Secret: Chosse a Shared Secret between FortiConnect and Fortigate)
Accounting port: 1813

3. Validating WLC configuration created from FortiConnect

Login to WLC with admin credentials.

Go to Configuration > Security > RADIUS and validate that FortiConnect has created the two RADIUS profiles.

Validate that the automatic setup process on FortiConnect has created the two RADIUS profiles.

IDAUxxx = Authentication profile
IDACxxx = Accounting profile

Go to Configuration > Security > Captive Portal and select the Captive Portal Profiles tab.

Validate that the Captive Portal profile is created.

If needed, hit the pencil icon the edit the profile.

4. Creating Security Profile on the WLC

Go to Configuration > Security > Profile and click the ADD bottom for creating a new Security Profile.

Fill in information:

Security Profile name: Name of your security profile
Security mode: Open
Captive Portal: WebAuth
Captive Portal profile: select the profile name that’s been created earlier
Captive Portal Authentication method: external (as we use FortiConnect Portal)
Pass-through Firewall Filter ID: Matching the name from the Automatic Setup used in FortiConnect earlier
Firewall Capabilities: radius-configured (allows the WLC to use RADIUS attributes)

5. Creating wireless ESS profile on the WLC

Go to Configuration > Wireless > ESS and click the ADD bottom for creating a new ESS profile.

Fill in information:

ESS Profile: Name the ESS profile
SSID: Name the SSID, (if left empty SSID will be same as ESS profile name)
Security Profile: Use the newly created security profile
RADIUS Accounting: Use the FortiConnect accounting profile (IDACxxxx)

Click SAVE, then accept the message that this is only for Virtual Cell AP’s (that’s what we use as the default option in WLC). Accept the message.

6. Enabling RADIUS Accounting listening on the FortiGate

Login to your Fortigate with admin credentials

Go to Network > Interfaces and edit the interface that is matching the IP address added as RADIUS Acounting Server at FortiConnect.

Enable RADIUS Accounting using the check-box.

7. Creating an RSSO Agent on the Fortigate

Go to User & Device > Authentication > Single Sign-On and create a new agent.

Type: RADIUS Single Sign-On Agent
Enable both Use RADIUS Shared Secret and Send RADIUS Responses.

8. Creating an RSSO User Group

Go to User & Device > User > User Groups and create a new user group.

Type: RADIUS Single Sign-On (RSSO)
RADIUS Attribute Value: Will match the RADIUS attribute from FortiConnect, In this example we use “staff” to identify a staff user. (remember the value is case-sensitive)

Setting RADIUS Attribute at FortiConnect for the corresponding Authorization Profile.

Attribute value used is “Class”

FortiConnect maps the user into the Account Group during the backend authentication to Microsft Active Directory.

9. Editing the RSSO Agent

Go to CLI of your FortiGate and edit the RSSO Agent

fw # config user radius

Then edit the RSSO entry

fw (radius) # edit RSSO\ Agent
fw (RSSO Agent) # set rsso-endpoint-attribute User-Name
fw (RSSO Agent) # end



After a user from staff member group has done a proper login using the Captive Portal, the username is now populated in FortiGate.
And you can start creating firewall policies using the RSSO group as a parameter.



Brian Andersen

Brian Andersen

Wireless CSE, EMEA region at Fortinet
Building strong customer/partner relations in WiFi industry.
Brian Andersen

Latest posts by Brian Andersen (see all)