Configure optional settings

Fortinet supports tw optional settings: Client IP Reporting and Groups response.

Topics:

Before you begin

  • Ensure that you have the common UDP Port and Secret key values available

Configure Client IP Reporting

To configure Okta to be able to parse, report on and eventually enforce policy based off of the source client IP Address you need to configure the Fortinet Fortigate (RADIUS) App in Okta as follows:

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console, as shown below.

  • Client IP: Check Report client IP.
  • RADIUS End User IP Attributes: 31 Calling-Station-Id

Configure Groups Response

The Fortinet appliance does not receive groups using the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Instead it relies on Vendor Specific Attributes.

To configure the app to send RADIUS Group information in vendor specific attributes:

Note

Note

This is an Early Access feature. To enable it, contact Okta Support.

  1. In Okta, navigate to Applications > Applications.
  2. Open the application by clicking its name.
    Tip

    Tip

    You can narrow the set of applications displayed using the Search field.

  3. Select the sign on tab.
  4. Scroll to the Advanced RADIUS Settings section and click Edit.
  5. In the GROUPS RESPONSE section:
    1. Check include groups in RADIUS response.
    2. In the RADIUS attributes sub section, specify the following:

      Field

      Value

      Comment

      RADIUS attribute

      26-Vendor specific.

      Must be 26-Vendor specific

      vendor specific ID

      Enter one of :
      Cisco - ASA-Group-Policy (3076)

      Citrix-Group-Names (3845)

      Fortinet-Group-Name(12356)

      PaloAlto-User-Group(25461)

      Enter the associated numeric vendor id.
      For example, for Cisco enter 3076.

      Attribute ID

      Cisco - ASA-Group-Policy (25)

      Citrix-Group-Names (16)

      Fortinet-Group-Name(1)

      PaloAlto-User-Group(5)

      Enter the associated numeric attribute id. For example, for Cisco enter 25.


      Important Note

      Important

      Vendor specific ID and Attribute ID are string fields.
      Admins may use any appropriate value for vendors not listed.


      Caution

      Caution

      • The maximum group membership value length is 247 bytes. In situations where length of group memberships or where any group names length exceeds the maximum size truncation will occur and partial values returned.

         

      • In such situations Okta suggests configuring the response as a set of Repeated Attributes as opposed to a single delimited list.
  6. Click Save.