Skip to main content
istvanmarlok
istvanmarlok
Visitor III
October 18, 2022
Question

Captive Portal Session timeout & Renewal Frequency

  • October 18, 2022
  • 5 replies
  • 19277 views

Hi All,

 

I have the following situation: I configured a guest SSID with Disclaimer Only authentication. I would like to configure the session timeout to 3 hour, and the renewal frequency to 1 hour (after the session time out, the user can not authenticate to the ssid until 1 hour). Is it possible to configure that?
I tried to configure this field from FortiManager:  captive-portal-auth-timeout

But it looks like this field doesn't exists on our Fortigate.

 

Environment: 

Fortigate40F with FortiOs 7.2.2

Fortimanager 7.2.1 OS

FortiAP 231F 7.2.1 OS

 

Thank you!

 

Best Regards,

Istvan

5 replies

A
Anonymous_User
Contributor
October 18, 2022

Hello Istvan 

I can refer you two useful articles related to different auth time outs, syntax might need to be changed on FMG according to syntax in the articles

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-external-captive-portal-authentication/ta-p/208486

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Chromium-based-Browsers-and-Captive-Portal/ta-p/191776

 

Please let us know about the outcome, and if it does not work out this way

 

Regards !

Edvin 

 

 

istvanmarlok
istvanmarlokAuthor
Visitor III
November 7, 2022

Hello,

 

Thank you, but unfortunatelly i didn't find the solution in these articles :(

I use the internal Disclaimer page on the FortiGate with no authentication. My goal is to drop the client after 2 hours, and after that the user have to Agree with the user terms again, if she/he would like to continue using our Guest network.

Other vendors call these feature like Client Session Timeout

Do you have any idea for that?

 

Thanks

Istvan

    Debbie_FTNT
    Staff & Editor
    Debbie_FTNT
    Staff & Editor
    November 7, 2022

    Hey Istvan,

    the auth-portal-timeout is not for deauthenticating portal users, if I remember correctly, but how long FortiGate will wait to complete a captive-portal authentication (this can take a few minutes if external captive portals and/or user registration and/or activation links/codes are involved).

    Try the following setting:
    #config user setting
    #set auth-timeout-type hard-timeout
    #set auth-timeout 120

    #end

     

    This should enforce a hard-timeout after two hours.

    Please note this will affect ALL users, not just captive portal users!

     

    As an alternative, you can look into webfilter quotas:

    https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/898834/web-filtering-using-quotas
    This is an option available in proxy-mode (the vdom or webfilter profile needs to be in proxy mode); you could then set time-limits for specific or all webfilter categories to block users after they have reached the limit. The quota resets at midnight. You could set that on the policies handling captive portal traffic to ensure users going through these policies will get their access blocked after a certain amount of time.

     

    As for enforcing a set time period before a user can connect again, I'm not sure this is possible; I've done a bit of research, but not found anything so far. There are some authentication blackout settings, but those only take effect after a user has failed authentication multiple times, which is not going to be the case with just a disclaimer.

      glaster
      glaster
      Explorer
      November 17, 2023

      Did you find a solution to this?  I am currently looking for the same thing.  I want to make it where the device can connect for 8 hours, then drops connection and has to reauthenticate and agree to terms.  And mandatory agree to terms if they disconnect and then reconnect.  

      istvanmarlok
      istvanmarlokAuthor
      Visitor III
      November 17, 2023

      Hi,

      Unfortunatelly I didn't find any solution for that.

      Dmolinari
      Dmolinari
      New Member
      April 22, 2026

      Hello everyone

      Has a solution been found for version 7.4.11 to the original issue reported by ​@istvanmarlok? If I use an external "Disclaimer Only" captive portal, can I ensure that idle clients are deauthenticated after 2 hours?
      I can use the Cisco ISE captive portal. Has anyone already done this type of configuration?

      Blinder
      Blinder
      New Member
      May 28, 2026

      Hi im wondering the same thing, where are the setting for “client-session” timeout??

      Terms & ConditionsAccessibility statement