- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Radius Accounting, Captive Portal, FortiGate v7.4
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Radius Accounting, Captive Portal, FortiGate v7.4
Hi. Recently set up a captive portal with external authentication portal
FortiGate-40F
v7.4.1 build2463 (Feature)
Security mode: Captive Portal
Portal type: Authentication
Authentication Portal: External
Traffic mode: Tunnel
FortiGate acts as DHCP server
"Client MAC Address Filtering" radius not enabled.
Radius accounting is enabled on SSID and all other possible interfaces.
Authentication process works correctly.
We are receiving accounting updates only on connect and disconnect.
No interim-accounting is received at specified interval.
Specified in config file:
set acct-all-servers enable
set acct-interim-interval 60
Also passing set acct-interim-interval := 60 in radreply
Accounting is also under reporting usage. Less than 10% of actual usage being reported once session is terminated and final account-update is received.
Test session lasting 180 seconds with a 256MB test file yields this:
acct-input-octets = 17645
acct-output-octets = 9427
Repeated test with different vendor and accounting is spot on.
What are we missing here?
Thanks.
Labels:
- Labels:
-
FortiGate
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dietersmith
Make sure that Radius attribute "Class" is being send from the client in accounting request packets when client connects on WIFI. If that attribute is missing FGT may fail to put the client to proper group. You can try to run packet capture on FGT and sniffer packet on port 1813 to understand it better .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rbraha
Thank you for your previous reply.
You were correct in your assumption that Class attribute was not being sent to FortiGate by radius server.
Have amended radius config and we now pass a Class attribute as well as previously defined Acct-Interim-Interval attribute.
(15) Sent Access-Accept Id 241 from 51.x.x.x:4046 to 93.x.x.x:52892 length 0
(15) Class = 0x4141414141
(15) Acct-Interim-Interval = 60
(15) Finished request
This is also visible on controller packet capture.
In Accounting-Request:
(16) Received Accounting-Request Id 242 from 93.X.X.X:58016 to 51.X.X.X:1813 length 235
(16) Acct-Status-Type = Start
(16) Event-Timestamp = "Nov 13 2023 15:00:57 UTC"
(16) Acct-Session-Id = "2d65e439"
(16) User-Name = "Ds"
(16) Acct-Multi-Session-Id = "94:f3:92:9d:52:70-1699887641"
(16) NAS-Identifier = "FortiGate-40F"
(16) Framed-IP-Address = 10.23.23.2
(16) Fortinet-Client-IP-Address = 10.23.23.2
(16) Fortinet-Vdom-Name = "root"
(16) Attr-26.12356.7 = 0x666f7274696e65742d6374726c2d6370
(16) Attr-26.12356.8 = 0x4f66666963652054657374204150
(16) NAS-IP-Address = 10.23.23.1
(16) Called-Station-Id = "94-F3-X-X-X-X:fortinet-ctrl-cp"
(16) Calling-Station-Id = "F4-3B-X-X-X-X"
(16) Class = 0x4141414141
Results for Session-Id: 2d65e439. 1.2 Gig downloaded in session.......
{
"radacct": [
{
"radacctid" : 19,
"acctsessionid" : "2d65e439",
"acctuniqueid" : "2fe8e5bb3579f8d1a618949763b8c947",
"username" : "Ds",
"realm" : "",
"nasipaddress" : "10.23.23.1",
"nasportid" : "",
"nasporttype" : "",
"acctstarttime" : "2023-11-13T15:00:57.000Z",
"acctupdatetime" : "2023-11-13T15:12:57.000Z",
"acctstoptime" : "2023-11-13T15:14:11.000Z",
"acctinterval" : 180,
"acctsessiontime" : 794,
"acctauthentic" : "",
"connectinfo_start" : "",
"connectinfo_stop" : "",
"acctinputoctets" : 312286,
"acctoutputoctets" : 171304,
"calledstationid" : "94-F3-X-X-X-X:fortinet-ctrl-cp",
"callingstationid" : "F4-3B-X-X-X-X",
"acctterminatecause" : "Host-Request",
"servicetype" : "",
"framedprotocol" : "",
"framedipaddress" : "10.23.23.2",
"framedipv6address" : "",
"framedipv6prefix" : "",
"framedinterfaceid" : "",
"delegatedipv6prefix" : ""
}
]}
Acct-Interim not updating at specified interval: 180s in radius config. 60s in attribute.
Accounting not reporting usage.
Any ideas?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dietersmith
By default FGT will send the first Account interim after 600 sec, configuring less than that it may fail to send this acc-interim update
Try to make the change as follow for your SSID
config wireless-controller vap
edit "vap"
set ssid "your SSID"
set security wpa2-only-personal+captive-portal
set passphrase ENC *
set acct-interim-interval 600 <----
set selected-usergroups "Guest-group"
set schedule "always"
next
end
Check again with pcap on FGT side if it will be any Acc-Interim interval
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rbraha
FortiGate-40F (Forti-CP-Test) # set acct-interim-interval 600
command parse error before 'acct-interim-interval'
Command fail. Return code -61
Seems like its not implemented here.
Here is current config for VAP:
FortiGate-40F (Forti-CP-Test) # show
config wireless-controller vap
edit "Forti-CP-Test"
set ssid "fortinet-ctrl-cp"
set security wpa2-only-personal+captive-portal
set external-web "https://portals.xxxx.xxxxxxxxx.com/captivePortal/36372535"
set passphrase ENC XXX
set selected-usergroups "Radius-CP_Guests"
set security-exempt-list "Forti-CP-Test-exempt-list"
set security-redirect-url "https://portals.xxxxx.xxxxxxxx.net/captivePortal/successpage/36372535"
set schedule "always"
set address-group-policy allow
next
end
Not sure its supported here.
Thanks for the help so far.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rbraha Could we please get this converted to a support ticket?
We are under pressure to make this work.
Thank you kindly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@fortigate support.
Please respond.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey dietersmith,
please note that we cannot easily convert a Forum thread to a support case; a support case requires the FortiGate's serial number at the very least.
I would suggest you log into support.fortinet.com and create a new ticket, and in that ticket link the forum thread for further details.
Regarding the accounting:
- FortiGate will only generate accounting if the accounting value it has set and the value received in RADIUS Access-Accept are the same; where does the mismatch of 60 in the Access-Accept and 180 in later Accounting messages come from?
There are at least two RADIUS Accounting issues currently under investigation (though one is restricted to IPSec, so it should not apply to your case); the ID is 0976338; if you open a ticket you can mention that as a possible avenue for investigation.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Related Posts
- UniFi Controller SSID with FortiGate Captive... 505 Views
- Fortigate cloud subscription 244 Views
- Fortigate - Account for guest 185 Views
- IP-based Authentication 189 Views
- Captive Portal provided by Cisco ISE... 939 Views
Labels
-
FortiGate
6,528 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.