(RSSO) with Microsoft NPS - Fortinet Document Library

FortiGate RADIUS Single Sign-On (RSSO) with
Windows Server 2008 Network Policy Server (NPS)
VERSION 5.2.3
Contents
Introduction .................................................................................................................................................. 3
Audience ....................................................................................................................................................... 3
RADIUS Single Sign-On (RSSO) Overview ...................................................................................................... 3
What is Single Sign-On? ............................................................................................................................ 3
RSSO Use Case .......................................................................................................................................... 3
Authentication Flow.................................................................................................................................. 4
RADIUS Single Sign-On (RSSO) Configuration ............................................................................................... 4
FortiGate ................................................................................................................................................... 4
RADIUS Accounting Listener ................................................................................................................. 4
RADIUS Accounting from FortiAP ......................................................................................................... 6
RADIUS Group Matching ....................................................................................................................... 7
Microsoft Network Policy Server (NPS) .................................................................................................... 9
Remote RADIUS Server Groups............................................................................................................. 9
RADIUS Connection Request Policy .................................................................................................... 11
RADIUS Network Policy ....................................................................................................................... 15
RADIUS Single Sign-On (RSSO) Verification................................................................................................. 24
Firewall User Monitor ............................................................................................................................. 24
RADIUS Daemon ..................................................................................................................................... 25
Packet Captures ...................................................................................................................................... 25
Page 2
RSSO with Microsoft NPS
Introduction
The purpose of this guide is to provide a known working configuration of RADIUS single sign-on using the
following components:




FortiGate (FortiOS 5.2.3)
Windows Network Policy Server (Windows Server 2008 R2)
FortiAP (v5.0-build0086)
Windows laptop supporting 802.1X wireless authentication
This guide assumes that you have a working wireless authentication infrastructure as configuring that
using the referenced components above is out of the scope of this document. This guide also assumes
that Virtual Domains are not enabled on the FortiGate.
Audience
This guide is written for the network and security administrators that have intermediate expertise in the
following domains:




Microsoft Windows Server Administration
FortiOS
Access Points (AP)
Windows OS
RADIUS Single Sign-On (RSSO) Overview
What is Single Sign-On?
Single sign-on (SSO) is a property of access control of multiple related, but independent software
systems. With this property a user logs in once and gains access to all systems without being prompted
to log in again at each of them. (Reference: http://en.wikipedia.org/wiki/Single_sign-on)
In the case of FortiGate, it means harnessing a previous authentication attempt (i.e. an Active Directory
domain log on, 802.1X wireless authentication, etc.) to reconcile IP addresses to a username as well as
assign privilege to a user without prompting authentication from the client.
RSSO Use Case
In a traditional Microsoft Active Directory wired environment, users log into their machines and have
their logon attempt validated by the domain controller. The domain controller is polled for that logon
event and that information is sent to the FortiGate to record the IP address, username and group
information associated with that event. Typically, that IP address is assigned to that host (either via a
static IP address or an extended DHCP lease time) that does not change. However, as wireless is being
adopted more frequently in the enterprise environment for both company owned and Bring Your Own
Device (BYOD) assets, this traditional method of single sign-on is not as effective.
When a host has both a wired and wireless connection available to them, it typically makes the
authentication request via its more preferred interface (typically wired). The IP address associated with
that interface is what is sent to the FortiGate. However, when a user disconnects from the wired
connection (i.e. via undocking the laptop, link failure from the network card, etc.), the FortiGate has no
Page 3
RSSO with Microsoft NPS
knowledge of the wireless interface IP address and therefore, the user is no longer authenticated to the
firewall. The user could go through the cumbersome task of signing out of their desktop and re-signing
in (to make the authentication request from their wireless IP), however this is not preferred.
RSSO bridges this gap by harnessing the wireless authentication (802.1X) request from the RADIUS
server authenticating that request via RADIUS accounting. Essentially RADIUS accounting captures valid
logon information which identifies when a valid session starts and ends. In this deployment, the
FortiGate wireless controller forwards its accounting packets to the RADIUS server who then injects
those packets to the RSSO agent listening on the FortiGate.
Authentication Flow
1.
2.
3.
4.
5.
6.
7.
Host authenticates to wireless AP via 802.1X
AP validates user credentials from host at RADIUS server
RADIUS servers authorizes user for access and sends request back to AP to allow connection
AP allows host to establish wireless connection
WLC (FortiGate) sends accounting packets to RADIUS server
RADIUS server proxies those accounting packets and forwards it to the FortiGate
FortiGate registers authentication via received accounting packets
RADIUS Single Sign-On (RSSO) Configuration
There are three main components to be configured to support this functionality. The steps in this guide
will be specific to the FortiGate, FortiAP and Windows Server 2008 R2 NPS, however can be adapted to
other solutions as long as they support the required set of features.
FortiGate
The FortiGate serves as the wireless controller (WLC) for the FortiAP and the centralized authentication
point for hosts on the network. There are three components of configuration:
1. RSSO Accounting Listener
*Please Note: The FortiGate listens on port 1813 for accounting packets.*
2. RADIUS Accounting
3. RSSO Group creation based on attribute sent in RADIUS accounting packets
At the conclusion of this section, the FortiGate will be listening for accounting messages from an
external RADIUS server as well as send accounting packets when the FortiAP authenticates a user via
802.1X. Also, there will be a new user RSSO group that can be used with identity based policies on the
FortiGate firewall policies.
RADIUS Accounting Listener
1. Log into the FortiGate with Administrator credentials
2. Click on “User & Device | Authentication | Single Sign-On”
Page 4
RSSO with Microsoft NPS
Figure 1. – Screenshot of WebGUI displaying “Single Sign-On” configuration
3. Click “Create New”
Figure 2. – Screenshot of “Single Sign-On” configuration page
*Please Note: The existing Single Sign-On entries are not used for the purposes of this
document*
Page 5
RSSO with Microsoft NPS
4. Under the “New Single Sign-On Server” section:
a. Select “RADIUS Single-Sign-On Agent”
b. Check “Use RADIUS Shared Secret”
c. Populate the “Shared Secret” with that of the NPS
d. Check “Send RADIUS Responses”
e. Click “OK”
Figure 3. – Screenshot of “New Single Sign-On Server” configuration page
5. Connect to the CLI of the FortiGate with an administrative user
6. Modify the “RSSO Agent” configuration with the RADIUS attribute that will be used from the AP
to denote username:
config user radius
edit "RSSO Agent"
set rsso enable
set rsso-radius-response enable
set rsso-validate-request-secret enable
set rsso-secret ENC
uq7eceRhIZ1qkPIpmdZq1rfZabcJu/E6LH4aZqkgRZO8bxkEZoFh5LeRfVr4NrTk66SxS5gYHjc
n/owXrRXVCtlWET+i05cRi+q/APdtgfWUSYLNWwzyg1esGanr2tnPg/ew3zTwq95PCItH5G
dH6Zan9ARzv0mcbZ6zVOYlrwJ+EDPn+UN29x5+tb/9pLc7McNhjQ==
set rsso-endpoint-attribute User-Name
next
end
*Please note: The RADIUS attribute used by FortiAP to denote user is “User-Name”. Please
check your AP vendor’s specific documentation to find out their corresponding attribute for
this field in their RADIUS accounting packets.*
RADIUS Accounting from FortiAP
1. Log into the CLI of the FortiGate
2. Modify the existing RADIUS server used for 802.1X authentication to send accounting packets
for any connection that uses that server:
Page 6
RSSO with Microsoft NPS
config user radius
edit "localnet-RAD"
set server "10.0.23.5"
set secret ENC
L0weOHdu2c6EphF1QBlR65DcMeU1UTHprM6IMtt1J0tTJc48WNpB7xCGm/pTo1oSL8VM
PalPC6/Fs02Jb/rF+Pq9vhiLNxcOSGAfSNiNrZAmuBdmJbdixjgjFrHd5yRRCvCfay5ppJ0byxQ
UOEaWYYtxsHcRZEQvYAc3c6vKyW6sqhlHiyy5zurJ4K92DKgSX3iuMg==
set auth-type ms_chap_v2
config accounting-server
edit 1
set status enable
set server "10.0.23.5"
set secret ENC
7P0tU/qGCV+ZpQSTSBa4OMKjAXeAoyPC3SuOodtdE7EnFg+AqzP6xssMOUeR4LvGjGz0
AtZcgmKUvELSIalskQJi7csfoJiZr5iv+swapPrWlOmR0Y+bJ5OgBfg6M8bqJ5km4XamCvld
A7aau1t4e2mQ6KR6J3nwcJVtp5kbzh70fEcV4g/+NZ6aNgVbUriHNKHbtg==
next
end
next
end
*Please Note: The accounting packets are sent to port 1813 of the specified server*
RADIUS Group Matching
The identity based policies can be used to provide access through the FortiGate via the attribute
matched by this group.
1. Log into the WebGUI with administrative credentials
Page 7
RSSO with Microsoft NPS
2. Click on “User & Device | User | User Groups”
Figure 4. – Screenshot of “User Groups” in WebGUI
3. Click “Create New”
Figure 5. – Screenshot of “User Groups”
4. In the Edit User Group Page:
a. Type in a “Name” for the user group
b. Select “RADIUS Single Sign-On (RSSO)” as type
c. Type in “RADIUS Attribute Value” for the group
d. Click “OK”
Figure 6. – Screenshot of “Edit User Group” page
Page 8
RSSO with Microsoft NPS
Microsoft Network Policy Server (NPS)
The Microsoft NPS provides the authentication and proxy accounting functionality in this environment.
When users authenticate for access to the AP, the NPS will also respond with a RADIUS attribute that
contains the specific class (group) that the user belongs to. This attribute can be used to create identity
based policies which govern the access of that user based on that group rather than IP address alone.
At the end of this section, the NPS will be configured to:
1. Authenticate users and return the correct attribute based on Windows group
2. Forward RADIUS accounting packets to the FortiGate for RSSO
Remote RADIUS Server Groups
1. In the “Network Policy Server” click “NPS (Local) | RADIUS Clients and Servers”
2. Right-Click “Remote RADIUS Server Groups” | Select “New”
Figure 7. – Screenshot of NPS RADIUS Server Group
3. Type in a “Group Name” | Click “Add”
Figure 8. – Screenshot of “RADIUS Server Group” dialog box
Page 9
RSSO with Microsoft NPS
4. Under the “Address” tab, put in the IP address of the FortiGate
Figure 9 – Screenshot of “Add RADIUS Server” dialog box
Page 10
RSSO with Microsoft NPS
5. Click on the “Authentication/Accounting” tab
a. Un-check “Use the same shared secret for authentication and accounting” in the
Accounting section
b. Type in the “Shared Secret”
c. Check “Forward network access server start and stop notifications to this server”
d. Click “OK”
Figure 10. – Screenshot of “RADIUS Server” dialog box
RADIUS Connection Request Policy
1. In the Network Policy Server
a. Right-Click “Policies | Connection Request Policy”
b. Select “New”
Page 11
RSSO with Microsoft NPS
2. Provide “policy name” | Click “Next”
Figure 11. – Screenshot of “New Connection Request Policy” Wizard
Page 12
RSSO with Microsoft NPS
3. Under the Conditions Page | Click “Add”
Figure 12. – Screenshot of “Specify Conditions” dialog
4. In the “Select Conditions” dialog:
a. Select “Day and Time Restrictions”
b. Click “Add”
Figure 13. - Screenshot of “Select Condition” dialog
Page 13
RSSO with Microsoft NPS
5. Choose all time periods | Click “ Permitted” | Click “OK”
Figure 14. - Screenshot of “Day and time restrictions”
6. Click “Next”
7. In the “Specify Connection Request Forwarding” dialog
a. Click “Accounting”
b. Check the “Forward accounting requests to this remote RADIUS server group”
c. Select the FortiGate accounting group created from the drop down box
d. Click “Next”
Figure 15. – Screenshot of “Specify Connection Request Forwarding” dialog
8. On the “Specify Authentication Methods” page, Click “Next”
Page 14
RSSO with Microsoft NPS
9. On the “Configure Settings” page, Click “Next”
10. On the “Completing Connection Request Policy Wizard” page, click “Finish”
RADIUS Network Policy
1. In the Network Policy Server
a. Click on “Policies”
b. Right-Click “Network Policies”
c. Click “New”
Figure 16. – Screenshot of NPS “Network Policies”
Page 15
RSSO with Microsoft NPS
2. Type a “Policy name” | Click “Next”
Figure 17. – Screenshot of “Specify Network Policy Name” dialog box
Page 16
RSSO with Microsoft NPS
3. In the “Specify Conditions” dialog box | Click “Add”
Figure 18. – Screenshot of the “Specify Conditions” dialog box
4. In the “Select condition” dialog box, choose “User Groups” | Click “Add”
Figure 19. – Screenshot of the “Select condition” dialog box
5. Click “Add Groups”
Page 17
RSSO with Microsoft NPS
6. Type in the security group that the users are a member of (i.e. Domain Admins) | Click “OK” |
Click “OK”
Figure 20. - Screenshot of the “Select Group” dialog box
7. Click “Next”
Page 18
RSSO with Microsoft NPS
8. In the “Specify Access Permission” | Select “Access granted” | Click “Next”
Figure 21. – Screenshot of “Specify Access Permission” dialog
Page 19
RSSO with Microsoft NPS
9. In the “Configure Authentication Methods” dialog:
a. In the EAP Section, click “add”
b. Select “Microsoft: Protected EAP (PEAP)”
c. Click “OK”
d. Click “Next”
Figure 22. – Screenshot of “Configure Authentication Methods” dialog box
10. In the “Configure Constraints” dialog | Click “Next”
Page 20
RSSO with Microsoft NPS
11. In the “Configure Settings” dialog:
a. Under “RADIUS Attributes” | Select “Standard”
b. Click “Add”
Figure 23. – Screenshot of “Configure Settings” dialog
Page 21
RSSO with Microsoft NPS
12. In the “Add Standard RADIUS Attribute” dialog:
a. Select the “Class” attribute
b. Click “Add”
Figure 24. – Screenshot of “Add Standard RADIUS Attribute” dialog
13. In the “Attribute Information” dialog:
a. Choose “String” for the “attribute value in:”
b. Type the name of the attribute to be matched for the group (i.e. unrestricted)
c. Click “OK”
Figure 25. – Screenshot of “Attribute Information” dialog
14. Click “Close”
15. Verify the following attributes set
Page 22
RSSO with Microsoft NPS
Figure 26. – Screenshot of “Configure Settings” dialog
16. Click “Finish” on the “Completing New Network Policy” summary page
Page 23
RSSO with Microsoft NPS
Figure 27. – Screenshot of “Completing New Network Policy” summary
RADIUS Single Sign-On (RSSO) Verification
To verify correct configuration of these parameters, there are a few methods to validate successful
logons via RSSO. Those methods are:



Firewall User Monitor via FortiGate WebGUI
RADIUS Daemon Test via FortiGate CLI
Packet Captures
Verification methods for Windows Network Policy Server is out of the scope of this document.
Firewall User Monitor
The Firewall user monitor provides a snapshot of the active authentication sessions registered with the
FortiGate. To access this in the FortiGate GUI:
1. Log into the FortiGate WebGUI with administrative credentials
Page 24
RSSO with Microsoft NPS
2. Click on “User & Device | Monitor | Firewall”
Figure 28. – Screenshot of Firewall user monitor in FortiGate WebGUI
RADIUS Daemon
The RADIUS daemon provides access to debug level information about RSSO logons. To access this
information:
1. Log into the FortiGate CLI with administrative credentials
2. Execute the following command:
# diag test application radius 3
This returns the following output:
"index","time left","ip","endpoint","block status","log status","profile group","ref count","use default
profile"
1,07:54:35,"172.16.230.2","LOCALNET\rsso_user","allow","no log","restricted",1,No
A list of all options associated with this command can be obtained by running the following command:
diag test application radius <enter>
Packet Captures
Packet captures allow you to verify at the wire that all proper parameters are being passed containing
the information necessary for correction operation of this feature. Below is a snippet of packets
obtained from the interface attached to the RSSO Proxy:
Page 25
RSSO with Microsoft NPS
Figure 29. – Screenshot of RADIUS accounting START packet with all required information
For more information on how to use packet captures on the FortiGate, consult the following Fortinet
knowledgebase articles:
How to create a packet capture using the built-in GUI tool
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD35380
Troubleshooting Tool : Using the FortiOS built-in packet sniffer
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=11186
Page 26
RSSO with Microsoft NPS
Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.