Fortigate – RSSO

When using third party wireless access points the Fortinet WSSO (wireless single-sign-on) won’t be any use as authentication bypasses the Fortigate completely. In these cases RSSO (Radius Single-Sign-On) may be useful. The access point (NAS) sends access requests directly to the radius server but sends accounting requests to the Fortigate. One thing to keep in mind is that the NAS must be capable of sending both the Framed-IP-address and Class attributes for RSSO to work.

Lets get started…

First create the RSSO agent:

User&Device —> Authentication —> Single sign on


Next create the RSSO user groups, the Radius Attribute value is the value returned in the Class attribute by the NAS

User&Device —> User —> User groups


Now make sure the interface on which the NAS resides will be listening for accounting packets.

Create an identity based firewall policy using the RSSO groups.


Now make sure you see the RSSO entries populate under User&Device –> Monitor —> Firewall

Note that the default endpoint attribute is Calling-Station-Id so the MAC address shows up under User Name, this can be changed via CLI:

#config user radius
#edit RSSO_agent
#set rsso-endpoint-attribute User-Name


The default SSO attribute for Group is the Class attribute, if this causes issues when using NPS it can also be changed via CLI:

#config user radius
#edit RSSO_agent
#set sso-attribute Filter-Id


Troubleshoot at CLI to make sure the Fortigate is receiving the required attributes for RSSO to work:

#diag debug application radiusd -1
#diag debug enable

You should see a line like:

DB 0 insert [ep='aa-bb-cc-dd-ee-aa' pg='UnrestrictedAccess' ip=''] success


Leave a Reply