Skip to main content
H
Staff & Editor
Hawada1
Staff & Editor
November 16, 2022

Technical Tip: Send RADIUS Change of Authorization (CoA) via FortiAuthenticator

  • November 16, 2022
  • 0 replies
  • 7175 views
Description This article describes the needed configuration between FortiGate and FortiAuthenticator to send Disconnect-Request and receive a successful Disconnect-ACK from FortiGate.
Scope FortiGate, FortiAuthenticator.
Solution

Change of Authorization or CoA allows a RADIUS server to adjust an active supplicant session based upon authorization.


Customers can leverage RADIUS CoA to change the client access in the network in case of the quota limit assigned to the profile is consumed or exceeded the time limit or in case an administrator wants to manually terminate/disconnect a VPN user session from FortiGate.

1) FortiAuthenticator uses the RADIUS Accounting port number port 1646 to receive accounting messages. Make sure it is enabled on the FortiAuthenticator interface.


Hawada1_3-1668611846792.png

 

2) Configure the RADIUS server on FortiGate:

# config user radius

    edit "VMFAC001"

        set server "<FAC-IP>"

        set radius-coa enable <--

        set acct-interim-interval 60 <--

 

# config accounting-server

    edit 1

        set status enable

        set server "<FAC-IP>"

        set secret ENC

        set port 1646 <--

    next


3) Add the acct-interim-interval to the User Groups on FortiAuthenticator and set the value to 60.

 

- FortiAuthenticator will then inform FortiGate to send accounting messages in the Access-Accept packet by sending 'Acct-Interim-Interval (85)'.

 

- FortiGate will include RADIUS AVP 'Framed-IP-Address' in the RADIUS Accounting 'Interim-Update' message.

 

Hawada1_0-1668611200724.png


4) Configure RADIUS client on FortiAuthenticator and make sure to enable the following options in the screenshot:


RadiusClient.jpg

 

When FortiAuthenticator manually/automatically disconnects a user, it will then send the disconnect-Request including the following AVPs:

 

- 'Framed-IP-Address (8)' collected via the interim-update (the Client IP should be displayed under Monitor -> Authentication -> RADIUS Sessions).

 

- 'User-Name (1)'.

To log out a user as an admin go to Monitor -> Authentication -> RADIUS Sessions, select the user from the table, and select Logoff.


FAC fortiauthenticator disconnect request attributes.jpg

 

Note:

If FortiAuthenticator sends the Disconnect-Request including only with the AVP 'Username', FortiGate will respond back by Disconnect NAK.
FortiGate requires ('Framed-IP-Address' & 'Username').

Note:

RADIUS CoA support has been added for SSL-VPN starting From FortiOS 7.0.0 GA. After receiving a Disconnect Request(40) from a RADIUS server, the SSL VPN daemon will search related sessions according to username and RADIUS server name to log off the specific user (including web and tunnel sessions)

 

Related document:

https://docs.fortinet.com/document/fortigate/7.0.0/fortios-release-notes/743723/new-features-or-enhancements

 

Terms & ConditionsAccessibility statement