Tuesday, 18 June 2019

How-to: Inject RADIUS logons to a FortiGate to test RSSO

This post will go through the steps required to send Logon/Logoff RADIUS accounting packets to a FortiGate and a Collector Agent to update it's RSSO table. This can be useful when integrating with third party systems where a script can be used to convert logons from multiple third party systems to a RADIUS logon to the FortiGate/Collector Agent.

The blog will be broken into the following steps:

  1. Install FreeRADIUS
  2. Enable RADIUS accounting on FortiGate interface
  3. Create RSSO Agent on FortiGate
  4. Create RSSO Groups on FortiGate
  5. Run test against FortiGate
  6. Enable RADIUS accounting on Collector Agent
  7. Run test on Collector Agent

1. Install FreeRADIUS Client

We will need to use the RADIUS client (radclient) for injecting RADIUS packets. This client comes part of FreeRADIUS so we'll install that first.

To install on Debian/Ubuntu type:

sudo apt install freeradius

2. Enable RADIUS accounting on FortiGate interface

Log into your FortiGate and goto Network > Interfaces then edit the interface that you'll be sending the RADIUS packets to.

Enable RADIUS Accounting under Administrative Access and click OK to save.


3. Create RSSO Agent on FortiGate

On the FortiGate goto Security Fabric > Fabric Connectors and click Create New

Select RADIUS Single Sign-On Agent. Give it a name of RSSO_Agent, select Use RADIUS Shared Secret and enter a password (will be password in this example), lastly enable Send RADIUS Responses. Save the configuration.


4. Create RSSO Groups on FortiGate

On the FortiGate goto User & Device > User Groups and create a new user group using the following:

Name:   SalesTeam
Type:   RADIUS Single Sign-On (RSSO)
RADIUS Attribute Value:   Sales


Click OK to save and repeat for all the groups you want to manage. Of course substitute the name and RADIUS Attribute values for what's used in your organisation.

5. Run test against FortiGate

Login to your server running FreeRADIUS and enter the following command:

echo "Calling-Station-ID="ESTARK",Framed-IP-Address="10.12.12.1",Class="SALES",Acct-Status-Type=Start" | radclient -q 192.168.160.1 acct password

Modify the command with the the following

Calling-Station-ID: This will be your username
Framed-IP-Address: This will be the computer's IP address
Class: This will be the usergroup
Acct-Status-Type: This will be either a logon ('Start') or logoff ('Stop') event
-q: Enter the FortiGate's IP address after the -q (ie: 192.168.160.1 in this example)
acct: Enter the RADIUS password to the FortiGate (password in this example).

Once you've sent off the RADIUS request log back into the FortiGate and goto Monitor > Firewall User Monitor and select Show all FSSO Logons.

You should now see the FGT has registered the logon event and mapped the user ESTARK belonging to the Sales usergroup to the IP of 10.12.12.1. You can see that the sign on method detected was also RADIUS Single Sign On.



 To logoff the user send the same command as before but replace Acct-Status-Type with 'Stop'. IE:

echo "Calling-Station-ID="ESTARK",Framed-IP-Address="10.12.12.1",Class="SALES",Acct-Status-Type=Stop" | radclient -q 192.168.160.1 acct password

6. Enable RADIUS accounting on Collector Agent

Log into your Windows server with the FSSO Collect Agent installed and select Advanced


Select the RADIUS Accounting tab and enable the RADIUS accounting server. Enter the password we configured previously and your domain name. Click OK to save.


7. Run test on Collector Agent

 Run the radclient command once again, remember to change the IP address to now point to your FSSO server instead of your FortiGate.

echo "Calling-Station-ID="ESTARK",Framed-IP-Address="10.12.12.1",Class="SALES",Acct-Status-Type=Start" | radclient -q 10.1.1.10 acct password


As you can see the FSSO agent can now see the client user and user groups. These will in turn be pushed to all the FortiGate's talking to the FSSO Collector agent. One thing to note, when sending RADIUS attributes to the FSSO Collector agent you don't need to specify the group name, only username and IP. The Collector agent does a lookup using the username and automatically determines the groups that user belongs to. As you can see above it also mapped the user to the Domain Users group.

No comments: