About RADIUS Single Sign-On

RADIUS is a client-server protocol for user authentication. For RADIUS authentication, users either provide a user name and password, or their devices must have a digital certificate. If you use RADIUS for user authentication to wireless access points or other RADIUS clients, and your firewall policies restrict outgoing traffic to specified users or groups, your users must manually log in again to authenticate to the Firebox, before they can connect to network resources or the Internet. To simplify the log in process for your users, you can use RADIUS Single Sign-On (RSSO) to automatically authenticate users when they authenticate to a RADIUS client. With RADIUS SSO, your users on the trusted or optional networks provide their user credentials one time (when they connect to the wireless access point or other RADIUS client) and they are automatically authenticated to your Firebox.

RADIUS SSO does not require you to enable RADIUS authentication on the Firebox. For RADIUS SSO, users authenticate with a separate RADIUS client, usually a wireless access point or switch on your internal network configured with 802.1X port-based authentication. Because the RADIUS client communicates with the RADIUS server to authenticate the users, it is not necessary to enable RADIUS authentication on the Firebox. The RADIUS server forwards accounting messages to tell the Firebox when a user has authenticated, and the Firebox automatically creates a Firewall session for the user.

RADIUS SSO for the Firebox supports the use of third-party authentication services, such as Aruba ClearPass, with access points.

RADIUS SSO Requirements

You can use RADIUS Single Sign-On with wireless access point or other RADIUS clients that include the required information in the RADIUS accounting messages. For RADIUS SSO to operate, the RADIUS accounting Start, Stop, and Interim-Update accounting messages sent by the RADIUS client must include these attributes:

  • User-Name — The name of the authenticated user
  • Framed-IP-Address — The client IP address of the authenticated user

WatchGuard AP devices that use the latest version of AP firmware meet these requirements. Other wireless access points that support these requirements should also operate correctly for RADIUS SSO.

Some access points do not assign the client IP address until after the user authenticates. For these access points, the Start accounting message might not include the Framed-IP-Address attribute. After the user authenticates, the access point immediately sends an Interim-Update accounting message that includes the Framed-IP-Address attribute. Even though the Start message does not include the Framed-IP-Address attribute, RADIUS SSO functions correctly.

Accounting Proxy

To configure a RADIUS accounting proxy in Microsoft Windows Server, see the Microsoft documentation:


When a user connects and authenticates to a RADIUS client, such as a wireless access point, the RADIUS client sends accounting messages to the RADIUS server. The RADIUS server sends these accounting messages to the Firebox and the Firebox creates a firewall session for the user at the specified client IP address. When the user disconnects, the RADIUS server sends an accounting message to the Firebox and the Firebox removes the user session.

Diagram of RADIUS SSO with a WatchGuard AP device

RADIUS Single Sign-On with a WatchGuard AP device

When a wireless client uses WPA/WPA2 authentication to a wireless access point:

  1. The wireless client sends the user access credentials to the access point.
  2. The access point and RADIUS server establish the user session.
    • The access point sends an Access-Request message to the RADIUS server with the user credentials.
    • The RADIUS server processes the request and sends an Access-Accept or Access-Reject message to the access point.
    • When the access point receives an Access-Accept message, the user session is established.
    • The AP device sends Start RADIUS accounting messages to the RADIUS server.
  3. The RADIUS server sends the Start RADIUS accounting messages to the Firebox, with the user name and IP address.
  4. When the Firebox receives the Start accounting message with the user name and client IP address, it creates a firewall session for the user.

To maintain the firewall session:

  1. While the user is connected, the AP device sends Interim-Update accounting messages to the RADIUS server.
  2. The RADIUS server sends Interim-Update messages to the Firebox.
  3. If the Firebox receives an Interim-Update message for a session that has expired, the Firebox creates the firewall session again.

When a wireless client disconnects from a wireless AP device:

  1. The AP device sends a Stop accounting message to the RADIUS server.
  2. The RADIUS server sends the Stop accounting message to the Firebox.
  3. The Firebox removes the firewall session for the user.

RADIUS SSO Session and Idle Timeouts

The Firebox can end a firewall session based on the session and idle timeouts specified in the RADIUS Single Sign-On (RSSO) configuration. If the user remains connected to the wireless access point after the amount of time specified for the session timeout, traffic from that user is not allowed by the Firebox until the user session is reestablished on the Firebox. After a session expires there are two ways for the Firebox create the session again:

  • The RADIUS server sends an Interim-Update accounting message to the Firebox for that session
  • The user disconnects and reconnects to the AP device, and the RADIUS server sends a Start accounting message to the Firebox

RADIUS SSO and Active Directory SSO

You can enable both RADIUS Single Sign-On and Active Directory Single Sign-On at the same time. A RADIUS SSO session cannot replace an existing session created by Active Directory SSO for a user at the same IP address.

We recommend that you do not enable both for users on the same subnet or IP range, to avoid any inconsistencies. If for some reason you must enable both types of SSO for the same subnet, you can add IP addresses to the Exception List in the RADIUS SSO or Active Directory SSO settings to make sure the intended authentication method is used from a specific IP address.

RADIUS SSO and the Authentication Portal

When a user has authenticated with RADIUS SSO, that user or another user can authenticate from the same IP address to the Authentication Portal, and can select a different domain, If a user is authenticated to the Firebox with RADIUS SSO and another user authenticates from the same IP address to the Authentication Portal, the Authentication Portal session replaces the RADIUS SSO session. If a user is authenticated to the Firebox through the Authentication Portal and another user tries to authenticate from the same IP address with RADIUS SSO, the second session with RADIUS SSO is not created.

For more information about user authentication from the Authentication Portal, see User Authentication Steps.

See Also

Enable RADIUS Single Sign-On

About User Authentication

Use Authentication to Restrict Incoming Connections