Description
Scope
Solution
The Radius Accounting server sends Accounting packets to the FortiGate to inform if a user authentication starts or stops (and eventually sends update information).
Accordingly, the FortiGate allows or denies user traffic.
Configuration
Verification
Testing rsso-context-timeout parameter
1) rsso-context-timeout will expire in 2 min as per current setup (but the FortiGate default config is 8 hours).
Activate debug.
Receive a Radius Start Accounting packet.
Packet is reflected in the FortiGate RSSO database.
rsso-context-timeout expired then the user is removed from FortiGate RSSO database.
2) Reset the rsso-context-timeout timer by sending an Interim Accounting Radius Packet
Receive a Radius Start Accounting packet.
Updated in FortiGate RSSO database.
Receive a Radius Interim Accounting packet.
Timer is restarted in the FortiGate RSSO database or set to its initial value of 2 minutes.
3) Send a Stop Accounting Radius Packet to remove user from authentication
User is authenticated in FortiGate RSSO database.
Receive a Radius Stop Accounting packet.
User is removed from FortiGate RSSO database.
If Radius is configured to send Interim packets, they are received by the FortiGate that resets the timeout authenticated counter. If an Accounting Radius Stop packet is lost, the user could remain authenticated for long in the FortiGate RSSO database.
4) Setting the rsso-context-timeout to infinite (User authentication is managed by start and stop radius accounting only)
Testing rsso-flush-ip-session parameter
1) rsso-flush-ip-session is by default set to disable
FortiGate receives Radius Start authentication.
Receive an Radius Accounting Interim/Update packet.
User 10.134.9.208 issues SSH traffic.
FortiGate receives a Radius Stop Accounting packet.
The session still exists in the session table even if the user is unauthenticated.
2) rsso-flush-ip-session is turned to enable
FortiGate receives a Radius Accounting Start and add the user in RSSO database.
User generates traffic.
ForitGate receives a Radius Accounting stop packet.
Since rsso-flush-ip-session is enabled, the session is removed from the session table without waiting for a timeout of the session.
This article explains how to manage the duration of RSSO authentication and sessions.
The example is based on FortiOS v5.4.2 and shows the configuration and the troubleshooting step by step of the parameters 'rsso-context-timeout' and 'rsso-flush-ip-session'.
The example is based on FortiOS v5.4.2 and shows the configuration and the troubleshooting step by step of the parameters 'rsso-context-timeout' and 'rsso-flush-ip-session'.
Scope
RSSO, FortiOS v5.2, FortiOS v5.4
RSSO parameters:
RSSO parameters:
rsso-context-timeout: Timeout value for RADIUS server database entries (0 = infinite).
rsso-flush-ip-session: Enable/disable flush user IP sessions on RADIUS accounting stop.
Solution
The Radius Accounting server sends Accounting packets to the FortiGate to inform if a user authentication starts or stops (and eventually sends update information).
Accordingly, the FortiGate allows or denies user traffic.
Configuration
config system interface
edit "mgmt1"
set vdom "root"
set ip 10.134.3.56 255.255.240.0
set allowaccess ping https ssh http telnet radius-acct
set type physical
set role lan
set snmp-index 12
next
end
config system interface
edit "port1/1"
set vdom "root"
set ip 10.5.19.56 255.255.240.0
set allowaccess ping https ssh snmp http telnet
set type physical
set snmp-index 1
next
end
config router static
edit 1
set gateway 10.5.31.254
set device "port1/1"
next
end
config user radius
edit "RadiusRsso"
set rsso enable
set rsso-secret ENC F7bLsgPVrWICS5RHAo+TGsVTiPMGvhPlZRGmfghV7mU+xHhM0hoTljQQWWwvD10NXrcv84owjyenbS4PxOZxqHnKLP+6xDRHmgKdiIJz3n5hgm2EUET
2XokE3bftmqBc/mRYFJgEUrTm8JUxw/asoDT6O1bP9AiRYtIdAV+c1Lo7OfZ2jIE19WpA/UadeN2qYxazXw==
set rsso-context-timeout 120 (2 min for test purpose – default values is 28800 sec or 8 hours in 5.4.2)
next
end
config user group
edit "SSO_Guest_Users"
next
edit "Guest-group"
set member "guest"
next
edit "Group0"
set group-type rsso
set sso-attribute-value "Group0"
next
edit "Group1"
set group-type rsso
set sso-attribute-value "Group1"
next
edit "Group2"
set group-type rsso
set sso-attribute-value "Group2"
next
end
config firewall policy
edit 1
set uuid cfdcb6b4-bb08-51e6-8df6-946f5b8bb2aa
set srcintf "mgmt1"
set dstintf "port1/1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "DNS"
set nat enable
next
edit 2
set uuid d04476c8-bb08-51e6-71e7-a00a58ac0b91
set srcintf "mgmt1"
set dstintf "port1/1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "SSH"
set utm-status enable
set logtraffic all
set groups "Group0"
set nat enable
next
edit 3
set uuid d0d0d9ec-bb08-51e6-4b8c-f71e885838ff
set srcintf "mgmt1"
set dstintf "port1/1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "HTTP"
set utm-status enable
set logtraffic all
set groups "Group1"
set nat enable
next
end
Verification
Testing rsso-context-timeout parameter
1) rsso-context-timeout will expire in 2 min as per current setup (but the FortiGate default config is 8 hours).
Activate debug.
FG-5KD3915xxxxxx # diagnose test application radiusd 33
2016-12-07 10:50:20 RADIUS server database [vd root]:
2016-12-07 10:50:20 ** no entries **
2016-12-07 10:50:20
FG-5KD3915xxxxxx # diagnose debug application radiusd -1
FG-5KD3915xxxxxx # dia debug enable
FG-5KD3915xxxxxx # diagnose sniffer packet mgmt1 "port 1813" 6
interfaces=[mgmt1]
filters=[port 1813]
Receive a Radius Start Accounting packet.
2016-12-07 10:51:57 Received radius accounting event11.814318 mgmt1 -- 10.134.9.230.53279 -> 10.134.3.56.1813: udp 59
vd 0:root Add/Update auth logon for IP 10.134.9.208 for user 33471995584
0x0000 085b 0ecc 31ec 0050 5601 671e 0800 4500 .[..1..PV.g...E.
0x0010 0057 69fc 0000 8011 ae70 0a86 09e6 0a86 .Wi......p......
0x0020 0338 d01f 0715 0043 1753 0415 003b b117 .8.....C.S...;..
0x0030 11be 9b6e a79c 388e 7c43 f5c6 871e 2806 ...n..8.|C....(.
0x0040 0000 0001 2c06 3330 3536 1908 4772 6f75 ....,.3056..Grou
0x0050 7030 1f0d 3333 3437 3139 3935 3538 3408 p0..33471995584.
0x0060 060a 8609 d0 .....
2016-12-07 10:51:57 DB 0 insert [ep='33471995584' pg='Group0' ip='10.134.9.208'] success
^C
1 packets received by filter
0 packets dropped by kernel
Packet is reflected in the FortiGate RSSO database.
FG-5KD3915xxxxxx # diagnose test application radiusd 33
2016-12-07 10:52:07 RADIUS server database [vd root]:
2016-12-07 10:52:07 "index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
2016-12-07 10:52:07 1,1481104317,00:01:50,"10.134.9.208","33471995584","allow","no log","Group0",1,No
2016-12-07 10:52:07
FG-5KD3915xxxxxx # diagnose test application radiusd 33
2016-12-07 10:53:54 RADIUS server database [vd root]:
2016-12-07 10:53:54 "index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
2016-12-07 10:53:54 1,1481104317,00:00:03,"10.134.9.208","33471995584","allow","no log","Group0",1,No
2016-12-07 10:53:54
FG-5KD3915xxxxxx # 2016-12-07 10:53:58 DB 0 remove IP entry [ep='33471995584' pg='Group0' ip='10.134.9.208'] timeout
2016-12-07 10:53:58 vd 0:root Remove auth logon for IP 10.134.9.208 for user 33471995584
rsso-context-timeout expired then the user is removed from FortiGate RSSO database.
FG-5KD3915xxxxxx # diagnose test application radiusd 33
2016-12-07 10:54:39 RADIUS server database [vd root]:
2016-12-07 10:54:39 ** no entries **
2016-12-07 10:54:39
2) Reset the rsso-context-timeout timer by sending an Interim Accounting Radius Packet
FG-5KD3915xxxxxx # diagnose test application radiusd 33
2016-12-07 11:12:17 RADIUS server database [vd root]:
2016-12-07 11:12:17 ** no entries **
2016-12-07 11:12:17
Receive a Radius Start Accounting packet.
FG-5KD3915xxxxxx # diagnose sniffer packet mgmt1 "port 1813" 6
interfaces=[mgmt1]
filters=[port 1813]
2016-12-07 11:12:31 Received radius accounting event10.098152 mgmt1 -- 10.134.9.230.55827 -> 10.134.3.56.1813: udp 59
0x0000 085b 0ecc 31ec 0050 5601 671e 0800 4500 .[..1..PV.g...E.
0x0010 0057 6b0d 0000 8011 ad5f 0a86 09e6 0a86 .Wk......_......
0x0020 0338 da13 0715 0043 8645 0416 003b 2ff4 .8.....C.E...;/.
0x0030 2c14 d2f2 9d3d 7fd2 ba5c 3640 8208 2806 ,....=...\6@..(.
0x0040 0000 0001 2c06 3330 3536 1908 4772 6f75 ....,.3056..Grou
0x0050 7030 1f0d 3333 3437 3139 3935 3538 3408 p0..33471995584.
0x0060 060a 8609 d0 .....
2016-12-07 11:12:31 DB 0 insert [ep='33471995584' pg='Group0' ip='10.134.9.208'] success
^C
1 packets received by filter
0 packets dropped by kernel
Updated in FortiGate RSSO database.
FG-5KD3915xxxxxx # diagnose test application radiusd 33
2016-12-07 11:12:38 RADIUS server database [vd root]:
2016-12-07 11:12:38 "index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
2016-12-07 11:12:38 1,1481105551,00:01:53,"10.134.9.208","33471995584","allow","no log","Group0",1,No
2016-12-07 11:12:38
FG-5KD3915xxxxxx # diagnose test application radiusd 33
2016-12-07 11:13:22 RADIUS server database [vd root]:
2016-12-07 11:13:22 "index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
2016-12-07 11:13:22 1,1481105551,00:01:09,"10.134.9.208","33471995584","allow","no log","Group0",1,No
2016-12-07 11:13:22
FG-5KD3915xxxxxx # diagnose test application radiusd 33
2016-12-07 11:13:43 RADIUS server database [vd root]:
2016-12-07 11:13:43 "index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
2016-12-07 11:13:43 1,1481105551,00:00:48,"10.134.9.208","33471995584","allow","no log","Group0",1,No
2016-12-07 11:13:43
Receive a Radius Interim Accounting packet.
FG-5KD3915xxxxxx # diagnose sniffer packet mgmt1 "port 1813" 6
interfaces=[mgmt1]
filters=[port 1813]
2016-12-07 11:13:58 Received radius accounting event2016-12-07 11:13:58 7.334169 mgmt1 -- 10.134.9.230.54721 -> 10.134.3.56.1813: udp 59
DB 0 update [ep='33471995584' pg='Group0' ip='10.134.9.208'] success
0x0000 085b 0ecc 31ec 0050 5601 671e 0800 4500 .[..1..PV.g...E.
0x0010 0057 6b18 0000 8011 ad54 0a86 09e6 0a86 .Wk......T......
0x0020 0338 d5c1 0715 0043 af3f 0417 003b 7169 .8.....C.?...;qi
0x0030 5175 f232 7373 943a 0519 f64e e1dd 2806 Qu.2ss.:...N..(.
0x0040 0000 0003 2c06 3330 3536 1908 4772 6f75 ....,.3056..Grou
0x0050 7030 1f0d 3333 3437 3139 3935 3538 3408 p0..33471995584.
0x0060 060a 8609 d0 .....
^C
1 packets received by filter
0 packets dropped by kernel
Timer is restarted in the FortiGate RSSO database or set to its initial value of 2 minutes.
FG-5KD3915xxxxxx # diagnose test application radiusd 33
2016-12-07 11:14:05 RADIUS server database [vd root]:
2016-12-07 11:14:05 "index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
2016-12-07 11:14:05 1,1481105638,00:01:53,"10.134.9.208","33471995584","allow","no log","Group0",1,No
2016-12-07 11:14:05
3) Send a Stop Accounting Radius Packet to remove user from authentication
User is authenticated in FortiGate RSSO database.
FG-5KD3915xxxxxx # diagnose test application radiusd 33
2016-12-07 11:14:31 RADIUS server database [vd root]:
2016-12-07 11:14:31 "index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
2016-12-07 11:14:31 1,1481105638,00:01:27,"10.134.9.208","33471995584","allow","no log","Group0",1,No
2016-12-07 11:14:31
Receive a Radius Stop Accounting packet.
FG-5KD3915xxxxxx # diagnose sniffer packet mgmt1 "port 1813" 6
interfaces=[mgmt1]
filters=[port 1813]
2016-12-07 11:14:41 Received radius accounting event2016-12-07 11:14:41 7.057849 mgmt1 -- 10.134.9.230.63642 -> 10.134.3.56.1813: udp 59
0x0000 085b 0ecc 31ec 0050 5601 671e 0800 4500 .[..1..PV.g...E.
0x0010 0057 6b1e 0000 8011 ad4e 0a86 09e6 0a86 .Wk......N......
0x0020 0338 f89a 0715 0043 1e2d 0418 003b 5d9a .8.....C.-...;].
0x0030 c898 8cf6 a69a a505 048f cd33 37b2 2806 ...........37.(.
0x0040 0000 0002 2c06 3330 3536 1908 4772 6f75 ....,.3056..Grou
0x0050 7030 1f0d 3333 3437 3139 3935 3538 3408 p0..33471995584.
0x0060 060a 8609 d0 .....
2016-12-07 11:14:41 DB 0 remove by IP [ep='33471995584' pg='Group0' ip='10.134.9.208'] success
^C
1 packets received by filter
0 packets dropped by kernel
User is removed from FortiGate RSSO database.
FG-5KD3915xxxxxx # diagnose test application radiusd 33
2016-12-07 11:14:47 RADIUS server database [vd root]:
2016-12-07 11:14:47 ** no entries **
2016-12-07 11:14:47
If Radius is configured to send Interim packets, they are received by the FortiGate that resets the timeout authenticated counter. If an Accounting Radius Stop packet is lost, the user could remain authenticated for long in the FortiGate RSSO database.
4) Setting the rsso-context-timeout to infinite (User authentication is managed by start and stop radius accounting only)
FG-5KD3915xxxxxx # con user radius
FG-5KD3915xxxxxx (radius) # ed RadiusRsso
FG-5KD3915xxxxxx (RadiusRsso) # show
config user radius
edit "RadiusRsso"
set rsso enable
set rsso-secret ENC HqbKDcEZ/fS/1FaX8IcWN/mLUqbgTwFi2614cqkTrCusw7Qfz3Yyc1kGIJg1VHuSFXGSoMwSeYcr97DAl4M5CsQVOR6umKUSYMhkEzguQhQr+za8NfKRKjHuvWi1xXGzI0I+yacm
W0zjeVshA696Jd1VLBRahXrD2TshPPEl+PVAFXGjX94RESG8xaJLv5qfpL05NQ==
set rsso-context-timeout 120
set rsso-flush-ip-session enable
next
end
FG-5KD3915xxxxxx (RadiusRsso) # set rsso-context-timeout 0
FG-5KD3915xxxxxx (RadiusRsso) # end
FG-5KD3915xxxxxx #
FG-5KD3915xxxxxx # ui config version changed
config change start
0: update vd root
server config 0 del
filled server 'RadiusRsso' for vdom 'root'
server config 0 add OK
if=mgmt1 interface is up to date (listen enabled)
Update config; timeout time 120 -> 0
db 0x142c0f90 removed timeout alarm
config change done
FG-5KD3915xxxxxx # diagnose debug application radiusd -1
FG-5KD3915xxxxxx # diag de en
FG-5KD3915xxxxxx # Received radius accounting eventvd 0:root Add/Update auth logon for IP 10.134.9.208 for user 33471995584
DB 0 insert [ep='33471995584' pg='Group0' ip='10.134.9.208'] success
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1481270573,00:00:00,"10.134.9.208","33471995584","allow","no log","Group0",1,No
FG-5KD3915xxxxxx # Received radius accounting eventDB 0 update [ep='33471995584' pg='Group0' ip='10.134.9.208'] success
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1481270611,00:00:00,"10.134.9.208","33471995584","allow","no log","Group0",1,No
FG-5KD3915xxxxxx # Received radius accounting eventvd 0:root Remove auth logon for IP 10.134.9.208 for user 33471995584
DB 0 remove by IP [ep='33471995584' pg='Group0' ip='10.134.9.208'] success
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
** no entries **
Testing rsso-flush-ip-session parameter
1) rsso-flush-ip-session is by default set to disable
FG-5KD3915xxxxxx # diagnose debug application radiusd -1
FG-5KD3915xxxxxx # di de en
FG-5KD3915xxxxxx #
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
** no entries **
FG-5KD3915xxxxxx # diagnose sys session filter src 10.134.9.208
FG-5KD3915xxxxxx # diagnose sys session filter dport 22
FortiGate receives Radius Start authentication.
FG-5KD3915xxxxxx # di sniffer packet mgmt1 "port 1813" 6
interfaces=[mgmt1]
filters=[port 1813]
Received radius accounting eventvd 0:root Add/Update auth logon for IP 10.134.9.208 for user 33471995584
5.872179 mgmt1 -- 10.134.9.230.56928 -> 10.134.3.56.1813: udp 59
0x0000 085b 0ecc 31ec 0050 5601 671e 0800 4500 .[..1..PV.g...E.
0x0010 0057 7c6e 0000 8011 9bfe 0a86 09e6 0a86 .W|n............
0x0020 0338 de60 0715 0043 67f4 041f 003b 79e7 .8.`...Cg....;y.
0x0030 99b5 c775 4194 4f22 3891 d3a0 60b0 2806 ...uA.O"8...`.(.
0x0040 0000 0001 2c06 3330 3536 1908 4772 6f75 ....,.3056..Grou
0x0050 7030 1f0d 3333 3437 3139 3935 3538 3408 p0..33471995584.
0x0060 060a 8609 d0 .....
DB 0 insert [ep='33471995584' pg='Group0' ip='10.134.9.208'] success
^C
1 packets received by filter
0 packets dropped by kernel
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1481130309,00:01:53,"10.134.9.208","33471995584","allow","no log","Group0",1,No
Receive an Radius Accounting Interim/Update packet.
FG-5KD3915xxxxxx # Received radius accounting eventDB 0 update [ep='33471995584' pg='Group0' ip='10.134.9.208'] success
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1481130369,00:01:01,"10.134.9.208","33471995584","allow","no log","Group0",1,No
User 10.134.9.208 issues SSH traffic.
FG-5KD3915xxxxxx # diagnose sys session list
session info: proto=6 proto_state=01 duration=19 expire=3587 timeout=3600 flags=00000010 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=33471995584 state=log may_dirty authed none acct-ext
statistic(bytes/packets/allow_err): org=1880/13/1 reply=3243/12/1 tuples=2
tx speed(Bps/kbps): 97/0 rx speed(Bps/kbps): 168/1
orgin->sink: org pre->post, reply pre->post dev=3->9/9->3 gwy=10.5.31.1/10.134.9.208
hook=post dir=org act=snat 10.134.9.208:49182->10.5.31.1:22(10.5.19.56:49182)
hook=pre dir=reply act=dnat 10.5.31.1:22->10.5.19.56:49182(10.134.9.208:49182)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00000550 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason: non-npu-intf
total session 1
FortiGate receives a Radius Stop Accounting packet.
FG-5KD3915xxxxxx # di sniffer packet mgmt1 "port 1813" 6
interfaces=[mgmt1]
filters=[port 1813]
Received radius accounting eventvd 0:root Remove auth logon for IP 10.134.9.208 for user 33471995584
5.311304 mgmt1 -- 10.134.9.230.56930 -> 10.134.3.56.1813: udp 59
0x0000 085b 0ecc 31ec 0050 5601 671e 0800 4500 .[..1..PV.g...E.
0x0010 0057 7c71 0000 8011 9bfb 0a86 09e6 0a86 .W|q............
0x0020 0338 de62 0715 0043 abf8 0421 003b ecf2 .8.b...C...!.;..
0x0030 2b93 0308 ad8e 01ee a7b5 24e8 fcf9 2806 +.........$...(.
0x0040 0000 0002 2c06 3330 3536 1908 4772 6f75 ....,.3056..Grou
0x0050 7030 1f0d 3333 3437 3139 3935 3538 3408 p0..33471995584.
DB 0 remove by IP [ep='33471995584' pg='Group0' ip='10.134.9.208'] success
0x0060 060a 8609 d0 .....
^C
1 packets received by filter
0 packets dropped by kernel
The session still exists in the session table even if the user is unauthenticated.
FG-5KD3915xxxxxx # diagnose sys session list
session info: proto=6 proto_state=01 duration=38 expire=3595 timeout=3600 flags=00000010 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=33471995584 state=log may_dirty authed none acct-ext
statistic(bytes/packets/allow_err): org=2256/15/1 reply=3391/14/1 tuples=2
tx speed(Bps/kbps): 19/0 rx speed(Bps/kbps): 7/0
orgin->sink: org pre->post, reply pre->post dev=3->9/9->3 gwy=10.5.31.1/10.134.9.208
hook=post dir=org act=snat 10.134.9.208:49182->10.5.31.1:22(10.5.19.56:49182)
hook=pre dir=reply act=dnat 10.5.31.1:22->10.5.19.56:49182(10.134.9.208:49182)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00000550 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason: non-npu-intf
total session 1
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
** no entries **
FG-5KD3915xxxxxx # diagnose sys session list
session info: proto=6 proto_state=01 duration=44 expire=3589 timeout=3600 flags=00000010 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=33471995584 state=log may_dirty authed none acct-ext
statistic(bytes/packets/allow_err): org=2256/15/1 reply=3391/14/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=3->9/9->3 gwy=10.5.31.1/10.134.9.208
hook=post dir=org act=snat 10.134.9.208:49182->10.5.31.1:22(10.5.19.56:49182)
hook=pre dir=reply act=dnat 10.5.31.1:22->10.5.19.56:49182(10.134.9.208:49182)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00000550 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason: non-npu-intf
total session 1
2) rsso-flush-ip-session is turned to enable
FG-5KD3915xxxxxx # con user radius
FG-5KD3915xxxxxx (radius) # show
config user radius
edit "RadiusRsso"
set rsso enable
set rsso-secret ENC 0t78S+eT+ApUuQtwLyurKTMXuD93mwUREcuPW4EcncFhhz80JyFO9q2fdbNd9PEAvuXL1jp4bqYMmcm9+BJfBjUypKXzNk8RFuuzeZ4GsJWPmIjtEXN+g
zCWcZG/1d/0cXAHFlOQNWQDzqijoAlY4BPDOH+EeRvGQHH/ggiLEZE8t3jnzi9uvZOGBipB00KkQzImKA==
set rsso-context-timeout 120
next
end
FG-5KD3915xxxxxx (radius) # edi RadiusRsso
FG-5KD3915xxxxxx (RadiusRsso) # get
name : RadiusRsso
timeout : 5
radius-coa : disable
h3c-compatibility : disable
username-case-sensitive: disable
class :
password-renewal : disable
rsso : enable
rsso-radius-server-port: 1813
rsso-radius-response: disable
rsso-validate-request-secret: disable
rsso-secret : *
rsso-endpoint-attribute: Calling-Station-Id
rsso-endpoint-block-attribute:
sso-attribute : Class
sso-attribute-key :
sso-attribute-value-override: enable
rsso-context-timeout: 120
rsso-log-period : 0
rsso-log-flags : protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other
rsso-flush-ip-session: disable
FG-5KD3915xxxxxx (RadiusRsso) # set rsso-flush-ip-session enable
FG-5KD3915xxxxxx (RadiusRsso) # end
FG-5KD3915xxxxxx # ui config version changed
FG-5KD3915xxxxxx # config change start
0: update vd root
server config 0 del
filled server 'RadiusRsso' for vdom 'root'
server config 0 add OK
if=mgmt1 interface is up to date (listen enabled)
config change done
FG-5KD3915xxxxxx #
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
** no entries **
FortiGate receives a Radius Accounting Start and add the user in RSSO database.
FG-5KD3915xxxxxx # Received radius accounting eventvd 0:root Add/Update auth logon for IP 10.134.9.208 for user 33471995584
DB 0 insert [ep='33471995584' pg='Group0' ip='10.134.9.208'] success
FG-5KD3915xxxxxx #
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1481130565,00:01:56,"10.134.9.208","33471995584","allow","no log","Group0",1,No
FG-5KD3915xxxxxx # diagnose sys session list
session info: proto=6 proto_state=01 duration=10 expire=3590 timeout=3600 flags=00000010 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=33471995584 state=log may_dirty authed none acct-ext
statistic(bytes/packets/allow_err): org=1824/13/1 reply=3711/12/1 tuples=2
tx speed(Bps/kbps): 178/1 rx speed(Bps/kbps): 364/2
orgin->sink: org pre->post, reply pre->post dev=3->9/9->3 gwy=10.5.31.1/10.134.9.208
hook=post dir=org act=snat 10.134.9.208:49183->10.5.31.1:22(10.5.19.56:49183)
hook=pre dir=reply act=dnat 10.5.31.1:22->10.5.19.56:49183(10.134.9.208:49183)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=000006a9 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason: non-npu-intf
total session 1
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1481130565,00:01:33,"10.134.9.208","33471995584","allow","no log","Group0",1,No
FG-5KD3915xxxxxx # Received radius accounting eventvd 0:root Remove auth logon for IP 10.134.9.208 for user 33471995584
DB 0 remove by IP [ep='33471995584' pg='Group0' ip='10.134.9.208'] success
Since rsso-flush-ip-session is enabled, the session is removed from the session table without waiting for a timeout of the session.
FG-5KD3915xxxxxx # diagnose sys session list
total session 0
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
** no entries **
Related Articles
Technical Note: Custom FortiGate IPS signature to block Interim Radius packets
