Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Eric_Kom
New Contributor II

Captive Portal authentication issue

Hi all,

We have Fortigate 60F with captive portal configured on one of the Port; We use Unifi as APs, See below my firewall settings for Captive portal:

 

config user setting set auth-timeout 1440 set auth-timeout-type hard-timeout set auth-lockout-duration 0 set auth-invalid-max 100 end

 

config user group edit "guest.Wifi" set group-type guest set authtimeout 0 set auth-concurrent-override enable set http-digest-realm '' end

 

The client do not want to re-authenticate after authentication was successful

Let say the guest account is set to expire in 120days, our client is looking for a solution where after successful authentication; the authenticated guest should remain active.

 

We try all the settings but could archive that goal.

 

The max session time out is set to 24hrs but not truth all the time; for some reason the guest have to authenticate many times between 24hrs and sometime stay connected for 24hrs.

 

We do not want to want to set the exempt source for some devices.\

 

Please help

 

2 REPLIES 2
xsilver_FTNT
Staff
Staff

Hi,

are you 100% sure you want to have 120 days authenticated session ?

To be honest, that sounds to me as security madness.

Have you heard about session hijacks and other possible misuse scenarios for active sessions?

 

If you want to pass someone/something through, basically unauthenticated, that's how 120 days sounds to me, then how about per MAC based or IP based exceptions?

Thinking of per MAC IP assignment via something like DHCP, or static map. Not trying to even think about DHCP or MAC address spoofing .. or other ways, just to keep sanity.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Eric_Kom
New Contributor II

I know it is a security madness.

The client is driving me made. We have explained to them that fortigate is a security device and therefore can not be implemented

Kind regards 

Labels
Top Kudoed Authors