Technical Tip: Various options to disconnect an active RADIUS user
| Description | This article describes how an active RADIUS user can be disconnected over the RADIUS Accounting Monitor option and from the FortiGate. |
| Scope | FortiAuthenticator v6.x. |
| Solution | In the below example, FortiGate is used as a RADIUS client (172.31.207.87) and FortiAuthenticator as a RADIUS server (172.31.202.36).
Configure Change of Authorization (CoA) and Radius accounting servers in FortiGate and FortiAuthenticator as per the below article: Technical Tip: Send RADIUS Change of Authorization (CoA)
Once the above is configured all active RADIUS sessions are recorded under Monitor -> Authentication -> RADIUS sessions.
A specific user can be selected to logoff for which a disconnect request is initiated from FortiAuthenticator and the same is acknowledged (Disconnect-ACK) by the FortiGate and the user session is terminated as seen below.
Over the GUI navigate to Dashboard -> Users&Devices -> Select the user and Deauthenticate.
Over the CLI below commands can be used:
diagnose firewall auth filter user <username> diagnose firewall auth clear diagnose firewall auth filter clear
The packet capture below shows the accounting request with connection termination and the same has been acknowledged by FortiAuthenticator.
|
