RSSO WiFi access control


In this example, you will use RADIUS Single Sign-On (RSSO) to authenticate wireless users.

Users will be required to enter their credentials, which are stored on a RADIUS server, when connecting to the wireless network. Once they have been authenticated, the same credentials will also be used by the FortiGate to allow outbound traffic without requiring additional authentication.

1. Adding a RADIUS server and allowing accounting messages to be accepted

Go to User & Device > Authentication > RADIUS servers and create a new server connection.

Set the Primary Server IP/Name and Primary Server Secret. Test the connection.

Configure additional settings as required.


Go to System > Network > Interfaces and edit the interface that communicates with the RADIUS server.

Enable Listen for RADIUS Accounting Messages.

2. Creating an RSSO agent

Go to User & Device > Authentication > Single Sign-On and create a new agent.

Set Type to RADIUS Single Sign-On Agent and enable both Use RADIUS Shared Secret and Send RADIUS Responses.


3. Creating an RSSO user group

Go to User & Device > User > User Groups and create a new user group.

Set Type to RADIUS Single Sign-On (RSSO) and enter the RADIUS Attribute Value.


4. Creating a security policy for the RSSO user group

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the wireless interface, Source User(s) to the RSSO user group, and Outgoing Interface to your Internet-facing interface.


5. Configuring the RADIUS server

Create a remote RADIUS server group. Set the IP address as the FortiGate unit’s IP.

Go to Authentication/Accounting.

Deselect Use the same share secret for authentication and accounting and enter the same secret that is used by the RSSO agent.

6. Configuring the RADIUS client

Create a new RADIUS client and go to Properties.

Select Enable this RADIUS client. Set Name and Address to match the FortiAP and enter the Shared secret.

Go to the Advanced properties.

Set Vendor name to RADIUS Standard.

7. Creating a network policy

Create a new network policy.

Select Policy enabled and Grant access.

Go to Conditions.

Add Windows Group and select Corp/Internet_user from the AD.

Go to Constraints.

Select Authentication Methods and add Microsoft: Protected EAP (PEAP) under EAP Types.

Select PEAP from the EAP Types list and select Edit.

Ensure that a certificate is issued for PEAP.

Go to Settings.

Select Standard and remove all attributes that are listed.

8. Creating a connection request policy

Create a new connection request policy.

Select Policy enabled.

Go to Conditions.

Add Client IPv4 Address and enter the IP of the FortiAP.

Go to Settings.

Select RADIUS Attributes and add the same class attribute used by the RSSO user group (in the example, tac).

Select Accounting and select Forward accounting requests to the remote RADIUS server group. Select the RADIUS server group from the list.

9. Results

Users in the RSSO group will now be able to use their credentials to connect to the wireless network. They will then be able to access the Internet without having to authenticate again.  
Go to User & Device > Monitor > Firewall to verify that users are able to connect to the FortiGate using RSSO.

For further reading, check out SSO using RADIUS accounting records in the FortiOS 5.2 Handbook.

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

In this example, a FortiAP has already been installed in Tunnel mode. For more information, see Adding a WiFi network with a FortiAP.
In this example, a Microsoft Network Policy Server (NPS) is used as the RADIUS server.