Hot!Fortigate RADIUS Accounting

Author
cbevilaqua
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/28 13:16:48
  • Status: offline
2019/06/14 07:40:05 (permalink)
0

Fortigate RADIUS Accounting

Hello,
 
We have a external captive portal with external RADIUS servers.
What's the default RADIUS accounting setting on Fortigate?
It seems that our server is not receiving the RADIUS accounting requests from Fortigate.
Is there some way to view or debug that?
 
Thanks!
#1
emnoc
Expert Member
  • Total Posts : 5208
  • Scores: 339
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Fortigate RADIUS Accounting 2019/06/14 08:21:01 (permalink)
0
Fortios does not support radacct . Not a feature
 
Ken Felix

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
jorge.americo
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/12 06:49:38
  • Location: Bahia/Brasil
  • Status: offline
Re: Fortigate RADIUS Accounting 2019/06/17 07:18:21 (permalink)
0
You need a fortiauthenticator.
#3
leszek
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/30 11:40:28
  • Status: offline
Re: Fortigate RADIUS Accounting 2019/06/28 14:41:51 (permalink)
0
hello cbevilaqua

i understand that your configuration works in this way:

1. fortigate redirects user to external captive portal
2. external captive portal sends user credentials back to fortigate
3. fortigate starts communication with external radius server and finally get accept or reject for this user

if it works like above you only have to enable accounting in fgt radius server definition - something like this:

config user radius
    edit "YOUR RADIUS SERVER"
            config accounting-server
                    edit 1
                        set status enable
                        set server "x.x.x.x"
                        set password xxxxx
                    next
            end
        next
end

as an example i attached below what fgt sends in real communication (from radius server side - its freeradius). you can see attributes fgt sending in accounting-request start type packet but fgt implements radius standard in good style so you can expect to get accounting type start, interim-update, stop, on and off.
(its not captive portal authentication as yours - its 802.1x eduroam wifi network but it does not matter in this case - fgt is in the same role - its client to radius server).

Leszek

------
(277) Sent Access-Accept from RADIUS-SERVER:1812 to FORTIGATE:19349
.....
(278) Received Accounting-Request from FORTIGATE:24706 to RADIUS-SERVER:1813
(278)   Acct-Multi-Session-Id = ...
(278)   Acct-Status-Type = Start
(278)   Acct-Authentic = RADIUS
(278)   User-Name = ...
(278)   NAS-IP-Address = ...
(278)   Framed-IP-Address = ...
(278)   NAS-Identifier = ...
(278)   Called-Station-Id = ...
(278)   NAS-Port-Type = Wireless-802.11
(278)   NAS-Port = 1
(278)   Calling-Station-Id = ...
(278)   Connect-Info = ...
(278)   Acct-Session-Id = ...
(278)   WLAN-Pairwise-Cipher = ...
(278)   WLAN-Group-Cipher = ...
(278)   WLAN-AKM-Suite = ...
(278)   Class = 0x...
(278)   Fortinet-WirelessController-Device-MAC = ...
(278)   Fortinet-WirelessController-WTP-ID = ...
(278)   Fortinet-WirelessController-Assoc-Time = ...
----
#4
Jump to:
© 2019 APG vNext Commercial Version 5.5