Technical Tip: Usage Profiles not enforced for RADIUS authenticated users (using RADIUS Accounting)

Description

The purpose of this article is to show an example of how a usage profile is used and why it may not work.

Scope

FortiGate v6.4+, FortiAuthenticator v6.4+.

Solution

Usage profiles are a tool available in FortiAuthenticator to enforce specific time or bandwidth limits on users: when the limits are exceeded, the user account is disabled and disconnected from the RADIUS client. This relies on RADIUS Accounting.

Note: Usage Profiles are only enforceable for local users and, starting in 6.5, manually imported LDAP users.

In this example, a FortiGate will act as a RADIUS client, hosting a guest portal for Wi-Fi users. The guest users are redirected by the FortiGate to the FortiAuthenticator in order to authenticate.

RADIUS is used to communicate user information, such as initiating IP (Framed-IP-Address), group membership (Fortinet-Group-Name) or other attributes.

Once a user is authenticated on the FortiAuthenticator, FortiGate, as a RADIUS client, will receive the information with an Access-Accept and know that traffic originating from this IP will belong to the authenticated user.

Firewall policies can now be matched with this user group, defined as the source. The usage profile defines the usage or quota of these accounts:

usage profile

User Group

 

For the Usage Profile to be enforceable, FortiAuthenticator needs to receive updated usage information to determine data and time usage for authenticated sessions. Since there is no traffic traversing through the FortiAuthenticator, it needs to receive that information from the RADIUS client in the form of RADIUS Accounting Messages (in this example, FortiGate will be the source).

RADIUS Accounting messages are separate from the original RADIUS Authentication exchange. Accounting uses port 1646 or 1813.

 

In FortiAuthenticator, Accounting messages received on port 1813 are used for RADIUS SSO (pulling information from Accounting messages and generating an FSSO user session from that), and messages received on port 1646 are used for RADIUS Accounting Monitor: Usage Profile enforcement. Neither is linked to each other and can be used separately or together.

To configure this properly, enable 'Accept RADIUS accounting messages for usage enforcement' in the RADIUS Client configuration and add the RADIUS Attribute 'Acct-Interim-Interval' (Accounting interim update interval, how often the RADIUS client should send accounting updates for the user) in the User Group.
 

1. FortiGate is the RADIUS Client:

 

RADIUS client 

Enable 'Accept RADIUS accounting messages for usage enforcement' and the 'Support RADIUS Disconnect messages'. The second option is important to ensure FortiAuthenticator can send the Disconnect messages to forcibly log off a user.

2. Add the Acct-Interim-Interval parameter to the user group:

RADIUS Attributes

 

The default interval value is 600 seconds (10 minutes). For this example, 60 seconds will be used.

 

3. Check the Accounting monitor port under Authentication -> RADIUS Service -> Service, as it may need adaption on the Accounting client, FortiGate in this example:

 

By default, port 1646 is used. 

 

4. Make sure 'RADIUS Accounting Monitor' is enabled in the interface used to reach the RADIUS Client: 

Interface services

 

5. On the FortiGate side, configure the FortiGate interface and Accounting Server under the RADIUS settings as follows:

 

config system interface
    edit "port1" <----- Interface that will receive the accounting packets from the RADIUS server.
        append radius-acct
    next
end

config user radius
    edit "FortiAuthenticator"
        set server "192.168.6.211"
        set acct-interim-interval 60
        set radius-coa enable
        set password-renewal disable
        config accounting-server
            edit 1
                set status enable
                set server "192.168.6.211"
                set port 1646
            next
        end
    next
end

 

The interim-interval duration is the same set on FortiAuthenticator.

Note:

FortiAuthenticator does not count the time usage by itself and logs off a user. FortiGate will send the Accounting Session information as per the interval set. When the user reaches the Usage Settings defined in the Usage Profile, FortiAuthenticator sends an Accounting-Disconnect message to the FortiGate, and FortiGate logs off the user and clears all related traffic sessions.

Without RADIUS Accounting, FortiAuthenticator would have no visibility of the user's activities (time/bandwidth usage) and could not enforce the profiles.

6. When the user authenticates via Captive Portal, it is possible to see the session information on FortiAuthenticator under Monitor -> Authentication -> RADIUS Sessions.

When the threshold is reached (Time Usage or Data Usage), the user is automatically logged off. It is also possible to log off the user manually through the Logoff button.

7. The session information is recorded in the Cumulative tab and also FortiAuthenticator sends the Disconnect-Request packet

8. Once logged off, the user receives the 'Usage limit exceeded' status. User can no longer authenticate with this status:

9. To re-enable the user for another slot of the same profile, select the option below: