1. About this Guide

This guide has been created in order to help sales engineers, product managers, or network specialists demonstrate the PacketFence capabilities on-site with an existing or potential customer. It can also provide guidelines to setup a proof of concept for a potential PacketFence deployment using the FortiGate firewall.

2. Assumptions

  • You have a configured PacketFence environment with working test equipment;

  • You have a FortiGate firewall.

3. Quick installation

3.1. Step 1: Configuration of the RSSO Agent

Go to your FortiGate administration webpage in User & Device → User → User Groups → Create New.

  • Name: RSSO_group

  • Type: RADIUS Single Sign-On (RSSO)

  • RADIUS Attribute Value: RSSO_Student (use the rolename of PacketFence, it’s case sensitive)

Create the SSO agent in FortiGate

You can also see that in the webpage at User & Device → Monitor → Firewall

3.2. Step 2: Configure the endpoint attribute

The default endpoint attribute is the Calling-Station-Id so the MAC address shows up under User Name, we can change that in CLI:

config user radius
edit RSSO_agent
set rsso-endpoint-attribute User-Name

3.3. Step 3: Activate the Accounting Listening

Go to System → Network → Interfaces.

Select the interface that will communicate with PacketFence and check Listen for RADIUS Accounting Messages then confirm.

Configure the accounting listening in the FortiGate

3.4. Step 4: SSO Configuration in PacketFence

Go to Configuration → Integration → Firewall SSO → Add Firewall → FortiGate.

  • Hostname or IP Address: IP of your firewall

  • Secret or Key: secret (radius shared secret)

  • Port: 1813

  • Roles: add the roles that you want to do SSO

Configure the FortiGate SSO in PacketFence

3.5. Step 5: Verification

If you want to see if it’s working, you can log into the firewall over SSH and run these following commands:

di debug enable
di debug application radiusd -1