Enable RADIUS Single Sign-On

RADIUS Single Sign-On (RSSO) enables users to automatically authenticate to the Firebox when they use RADIUS to authenticate to a RADIUS client, such as a wireless access point. For information about how RADIUS SSO operates, and the requirements for RADIUS clients, see About RADIUS Single Sign-On.

When you enable RADIUS SSO, the RADIUS-SSO-Users group and the Allow RADIUS SSO Users policy are automatically created to allow outbound connections from users authenticated through RADIUS SSO. You can use this group, or you can create new groups that match the user group names on your RADIUS server.

To allow RADIUS accounting traffic from the RADIUS server to the Firebox, the Allow RADIUS SSO Service policy is also automatically created .

For RADIUS SSO to operate, you must enable RADIUS accounting on the RADIUS client or access point.

Before You Begin

Before you enable RADIUS SSO on your Firebox, you must have this information:

  • IP Address — The IP address of your RADIUS server
  • Secret — Case-sensitive shared secret used to verify RADIUS messages between the RADIUS server and the Firebox
  • Group Attribute — The RADIUS attribute number used to get group names from RADIUS accounting messages

Session Timeout and Idle Timeout

For RADIUS SSO, user sessions time out based on RADIUS SSO timeouts rather than the global authentication timeouts. The RADIUS SSO settings include two timeout values.

Session Timeout

The maximum length of time the user can send traffic to the external network. If you set this field to zero (0) seconds, minutes, hours, or days, the session does not expire and the user can stay connected for any length of time.

Idle Timeout

The maximum length of time the user can stay authenticated when idle (not passing any traffic to the external network). If you set this field to zero (0) seconds, minutes, hours, or days, the session does not time out when idle and the user can stay idle for any length of time.

If a user disconnects before these timeout limits are reached, the Firebox removes the session when it receives a RADIUS accounting STOP message that contains the user name and client IP address. For more information about RADIUS accounting messages, see About RADIUS Single Sign-On.

Configure the RADIUS Server

To enable RADIUS SSO, you must configure the RADIUS server to forward RADIUS accounting packets to a Firebox IP address on port 1813, and you must configure the shared secret used for communication between the RADIUS server and the Firebox.

Configure the Firebox

When you enable and configure the settings for Single Sign-On (SSO) on your Firebox, you must specify the IP address of the RADIUS server. You can also specify the IP addresses (or ranges) to exclude from SSO.

RADIUS SSO Policies and Groups

When you enable RADIUS SSO (RSSO), two policies are automatically added to your Firebox configuration:

  • Allow RADIUS SSO Service — Allows RADIUS accounting traffic between the Firebox and the RADIUS server
  • Allow RADIUS SSO Users — Allows outbound TCP and UDP traffic for RADIUS SSO authenticated users

RADIUS accounting messages include information about group membership for the authenticated user. The RADIUS-SSO-Users group on the Firebox automatically includes all users who are not a member of a group that exists on the Firebox. Outbound traffic for these users is allowed by the Allow RADIUS SSO Users policy.

If users who authenticate through RADIUS SSO are members of a group on the RADIUS server, you can create the same group on the Firebox, and then use that group name in policies. If a user authenticated through RADIUS SSO is a member of a group that exists on the Firebox, the user is not a member of the group RADIUS-SSO-Users, so you must create a policy to allow traffic for the user or group.

For more information, see Use Users and Groups in Policies.

Define RADIUS SSO Exceptions

If you want to exclude certain devices from RADIUS SSO, you can add them to the RADIUS SSO Exceptions list. When the Firebox receives RADIUS accounting messages for a user with an IP address on the RADIUS SSO Exceptions list the Firebox does not create a Firewall authentication session for that user.

When you add an entry to the RADIUS SSO Exceptions list, you can choose to add a host IP address, network IP address, subnet, host DNS name (from Policy Manager only), or a host range.

You can also edit or remove entries from the SSO Exceptions list.

See Also

About User Authentication

Use Authentication to Restrict Incoming Connections

Configure RADIUS Server Authentication with Active Directory for Wireless Users