- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Note: RSSO parameter 'rsso-ep-one-ip-onl...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
Scope
Solution
This article illustrates the usage of the parameter 'rsso-ep-one-ip-only' which is introduced in FortiOS v5.6.
When receiving a new start message for the same user/endpoint with a different IP address such as the scenario of a mobile device roaming, the design prior to FortiOS v5.6 was to add a new entry in RSSO database. With this new parameter, the FortiGate can override the IP address for this endpoint.
When receiving a new start message for the same user/endpoint with a different IP address such as the scenario of a mobile device roaming, the design prior to FortiOS v5.6 was to add a new entry in RSSO database. With this new parameter, the FortiGate can override the IP address for this endpoint.
Scope
RSSO / Radius
FortiOS v5.6
RSSO parameter: rsso-ep-one-ip-only
FortiOS v5.6
RSSO parameter: rsso-ep-one-ip-only
Solution
rsso-ep-one-ip-only: Enable/Disable the replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.
1) rsso-ep-one-ip-only disable
Since rsso-ep-one-ip-only is disabled, if the FortiGate receives a Radius start accounting packet for an existing endpoint with a new IP address, a new entry will be created in the RSSO database. The old entry will remain associated with the endpoint user.
2) rsso-ep-one-ip-only enable
Since rsso-ep-one-ip-only is enabled, if the FortiGate receives a Radius start accounting packet for an existing endpoint with a new IP address, the entry is replaced. The old entry and IP address will be disassociated from the endpoint user.
Same with Ip .207 and endpoint ..589
New endpoint with IP address remaining in database.
1) rsso-ep-one-ip-only disable
Since rsso-ep-one-ip-only is disabled, if the FortiGate receives a Radius start accounting packet for an existing endpoint with a new IP address, a new entry will be created in the RSSO database. The old entry will remain associated with the endpoint user.
FG-5KD3915xxxxxx # config user radius
FG-5KD3915xxxxxx (radius) # edit RadiusRsso
FG-5KD3915xxxxxx (RadiusRsso) # show
config user radius
edit "RadiusRsso"
set rsso enable
set rsso-secret ENC Vx0Ejb2KhG9RAaiiyI45B
set rsso-context-timeout 0
set rsso-flush-ip-session enable
next
end
FG-5KD3915xxxxxx (RadiusRsso) # set rsso-ep-one-ip-only disable
FG-5KD3915xxxxxx (RadiusRsso) # end
FG-5KD3915xxxxxx # ui config version changed
config change start
0: update vd root
server config 0 del
filled server 'RadiusRsso' for vdom 'root'
server config 0 add OK
if=mgmt1 interface is up to date (listen enabled)
config change done
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
** no entries **
FG-5KD3915xxxxxx # Received radius accounting eventvd 0:root Add/Update auth logon for IP 10.134.9.210 for user 33471995587
DB 0 insert [ep='33471995587' pg='Group0' ip='10.134.9.210/32'] success
FG-5KD3915xxxxxx #
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1481293102,00:00:00,"10.134.9.210""33471995587","allow","no log","Group0",1,No
FG-5KD3915xxxxxx # Received radius accounting eventvd 0:root Add/Update auth logon for IP 10.134.9.209 for user 33471995587
DB 0 insert [ep='33471995587' pg='Group0' ip='10.134.9.209/32'] success
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1481293102,00:00:00,"10.134.9.210""33471995587","allow","no log","Group0",2,No
2,1481293151,00:00:00,"10.134.9.209""33471995587","allow","no log","Group0",2,No
FG-5KD3915xxxxxx # Received radius accounting eventvd 0:root Remove auth logon for IP 10.134.9.209 for user 33471995587
vd 0:root Add/Update auth logon for IP 10.134.9.209 for user 33471995589
DB 0 insert [ep='33471995589' pg='Group0' ip='10.134.9.209/32'] success
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1481293102,00:00:00,"10.134.9.210""33471995587","allow","no log","Group0",1,No
2,1481293176,00:00:00,"10.134.9.209""33471995589","allow","no log","Group0",1,No
2) rsso-ep-one-ip-only enable
Since rsso-ep-one-ip-only is enabled, if the FortiGate receives a Radius start accounting packet for an existing endpoint with a new IP address, the entry is replaced. The old entry and IP address will be disassociated from the endpoint user.
FG-5KD3915xxxxxx # show user radius RadiusRsso
config user radius
edit "RadiusRsso"
set rsso enable
set rsso-secret ENC xfaj553lzDOhcHYL5sUynSN
set rsso-context-timeout 0
set rsso-flush-ip-session enable
next
end
FG-5KD3915xxxxxx # config user radius
FG-5KD3915xxxxxx (radius) # edit RadiusRsso
FG-5KD3915xxxxxx (RadiusRsso) # get
name : RadiusRsso
timeout : 5
radius-coa : disable
h3c-compatibility : disable
username-case-sensitive: disable
class :
password-renewal : disable
rsso : enable
rsso-radius-server-port: 1813
rsso-radius-response: disable
rsso-validate-request-secret: disable
rsso-secret : *
rsso-endpoint-attribute: Calling-Station-Id
rsso-endpoint-block-attribute:
sso-attribute : Class
sso-attribute-key :
sso-attribute-value-override: enable
rsso-context-timeout: 0
rsso-log-period : 0
rsso-log-flags : protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other
rsso-flush-ip-session: enable
rsso-ep-one-ip-only : disable
FG-5KD3915xxxxxx (RadiusRsso) # set rsso-ep-one-ip-only enable
FG-5KD3915xxxxxx (RadiusRsso) # end
FG-5KD3915xxxxxx # ui config version changed
endconfig change start
0: update vd root
server config 0 del
filled server 'RadiusRsso' for vdom 'root'
server config 0 add OK
if=mgmt1 interface is up to date (listen enabled)
vd 0:root Add/Update auth logon for IP 10.134.9.210 for user 33471995587
vd 0:root Add/Update auth logon for IP 10.134.9.209 for user 33471995589
config change done
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1481293102,00:00:00,"10.134.9.210""33471995587","allow","no log","Group0",1,No
2,1481293176,00:00:00,"10.134.9.209""33471995589","allow","no log","Group0",1,No
FG-5KD3915xxxxxx # Received radius accounting eventvd 0:root Remove auth logon for IP 10.134.9.209 for user 33471995589
vd 0:root Add/Update auth logon for IP 10.134.9.208 for user 33471995589
DB 0 insert [ep='33471995589' pg='Group0' ip='10.134.9.208/32'] success
FG-5KD3915xxxxxx # diagnose test application radiusd 33
RADIUS server database [vd root]:
"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1481293102,00:00:00,"10.134.9.210""33471995587","allow","no log","Group0",1,No
2,1481293276,00:00:00,"10.134.9.208""33471995589 ","allow","no log","Group0",1,No
3,1481293176,00:00:00,"10.134.9.209""","n/a","n/a","",0,Yes
Same with Ip .207 and endpoint ..589
FG-5KD3915 xxxxxx # Received radius accounting eventvd 0:root Remove auth logon for IP 10.134.9.208 for user 33471995589 vd 0:root Add/Update auth logon for IP 10.134.9.207 for user 33471995589 DB 0 insert [ep='33471995589' pg='Group0' ip='10.134.9.207/32'] success
FG-5KD3915xxxxxx # diagnose test application radiusd 33 RADIUS server database [vd root]: "index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile" 1,1481293102,00:00:00,"10.134.9.210""33471995587","allow","no log","Group0",1,No 2,1481293349,00:00:00,"10.134.9.207""33471995589","allow","no log","Group0",1,No 3,1481293176,00:00:00,"10.134.9.209""","n/a","n/a"," ",0,Yes 4,1481293276,00:00:00,"10.134.9.208""","n/a","n/a"," ",0,Yes
New endpoint with IP address remaining in database.
FG-5KD3915 xxxxxx # Received radius accounting eventvd 0:root Add/Update auth logon for IP 10.134.9.208 for user 33471995588 DB 0 insert [ep='33471995588' pg='Group0' ip='10.134.9.208/32'] success
FG-5KD3915xxxxxx # diagnose test application radiusd 33 RADIUS server database [vd root]: "index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile" 1,1481293102,00:00:00,"10.134.9.210""33471995587","allow","no log","Group0",1,No 2,1481293349,00:00:00,"10.134.9.207""33471995589","allow","no log","Group0",1,No 3,1481293393,00:00:00,"10.134.9.208""33471995588","allow","no log","Group0",1,No 4,1481293176,00:00:00,"10.134.9.209""","n/a","n/a"," ",0,Yes
Related Articles
Technical Note: RSSO maximum time connection and authentication timers
Technical Note: Custom FortiGate IPS signature to block Interim Radius packets
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.