FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bpozdena_FTNT
Article Id 196804

Description
This article describes the steps to configure FortiGate to send RADIUS Accounting messages containing usernames and IP address of SSL VPN users.

Useful links:
CLI Reference: https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/403620/user-radius

Scope
FortiGate v5.6.11+
FortiGate v6.0.7+
FortiGate v6.2.1+


Solution
Consider the bellow important requirements before implementing this solution:

- FortiGate should be running FortiOS versions 5.6.11+, v6.0.7+ or v6.2.1+.
  In earlier versions, FortiOS will report the client’s public IP address instead of the assigned tunnel IP address in the 'Framed-IP-Address' attribute value.

- The attribute 'Framed-IP-Address' will not be included in the RADIUS Accounting-Request Start message. It will be included only in Interim-Updates and Accounting Stop message.
- The Interim Accounting-Request won't be sent unless the radius server sends AVP: 'Acct-Interim-Interval' in the 'Access-Accept' message.
  Also, the Interim-Updates feature must be enabled on FortiGate under RADIUS profile.

- The minimum update interval for interim accounting messages can be set to 600 seconds.

There are two steps to complete this configuration:

1) Configure SSL VPN access for RADIUS users.
Example: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/551553/ssl-vpn-with-radius-and-fortitoke...

2) Configure Fortigate to send RADIUS Accounting:

#config user radius   
    edit <RADIUS_PROFILE_NAME>   
        set server <Radius_Server_IP>             <----- Specify the IP address of the RADIUS authentication server.
        set secret <password>                     <----- Secret used to authenticate with the RADIUS authentication server.
        set acct-interim-interval 600             <----- Enable sending of Interim Accounting updates every 10 minutes.
        config accounting-server   
            edit 1   
                set status enable                 <----- Enable sending of RADIUS Accounting messages.
                set server <Radius_Server_IP>     <----- Specify the IP address of the RADIUS accounting server.
                set secret <password>             <----- Secret used to authenticate with the RADIUS accounting server.
            next   
        end   
    next   
end   

3) Ensure the RADIUS server is configured to send AVP 'Acct-Interim-Interval:600' in the Access-Accept message.

Example:


 
Verification of Configuration:

The bellow packet captures show the effect of the above configuration in action.

 


 
 



 

Contributors