Security

Hi,

 

We have installed Fortigate 600C firewall. It needs Radius Start and Stop notifications to allow users to pass-thru who are already authenticated using 802.1x authentication against our NPS server.

I read on a forum on microsoft which says that we have to configure NAS in a way that it generates notifications. In our case our controllers 3400 are NAS.

 

My question is how we can set controllers to send Start-Accounting and Stop-Accounting notifications to Fortigate firewall having IP address of 192.168.100.254?

 

Following is the link where I read that NAS needs to be configured to send notifications:

 

http://social.technet.microsoft.com/Forums/windowsserver/en-US/c1fbccce-539f-4556-be97-2c36b83c5d2f/nps-not-forwarding-radius-startstop-notifications?forum=winserverNIS&prof=required

#3400

Add the fortinet as a radius server in the controller. Then add it to a new server group.

In your AAA profile, under radius accounting, select the fortinet server group.

If there are two servers I need accounting messages/notifications to send
to, can I add multiple servers and will it be sent to multiple fortinet
firewalls?

Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin@rosmini.school.nz). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.

You need AOS 6.4 or higher to send accounting data to multiple servers. If you are already on 6.4, check the Multiple RADIUS accounting servers check box in the AAA profile.

I am running 6.3.1.8. I will update the code version and will give it a go.

 

Thanks for your help.

One more quick question.

 

Just for testing I have done what you have suggested. I can see users are establishing on Fortinet firewall. However under username the mac address of the client appears. Is it something we need to change on our NPS or on Aruba controller? If should send the actual usernames of the clients, isn't it?

Any ideas please? I am getting devices mac addresses instead of usernames.

Are you doing user auth or computer auth with radius?

User auth. On controller usersIDs appear under username.

Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin@rosmini.school.nz). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.

Hi,

 

I have solved it. I have changed RSSO attribute to read Usern-Name instead of Calling-Station-Id on our Fortinet 600C firewall.

 

First I have set accounting server on Aruba controller 3400 under AAA profile.

 

And this is how I have done on Fortinet:

 

config user radius

get RSSO_Agent

edit RSSO_Agent

set rsso-endpoint-attribute User-Name

 

This may help others too.