Description
This article describes troubleshooting steps for an issue that may occur when a client connecting in a particular SSID device receives a captive portal for authentication, causing the user to have to log in to the captive portal repeatedly.
Scope
FortiGate101E v7.0.11:0489, FortiAP-431F v7.0.7:0134.
Solution
All SSIDs are authenticated by Cisco ISE. The customer can login to access the Internet or network. If a user moves from one access point to another access point, the user will need to authenticate again.
Consider a case where WiFi users are using an SSID to authenticate against a Cisco ISE RADIUS Server. It all works correctly until the user roams from one AP to another or makes a change on the channel, following which the user will be de-authenticated and the authentication portal will be shown again. This means the customers need to sign in over and over again.
Diagram:
Cisco ISE --- FortiGate --- LAN --- FortiAP
FG101E v7.0.11:0489
FAP-431F v7.0.7:0134
To reproduce the scenario:
To resolve the issue:
Configure the 'user setting' to set the auth-timeout to 480 minutes on FortiGate through the CLI:
config user setting
set auth-timeout 480
end
If issue persists, open a new ticket to the TAC team, making reference to this article. Attach the following information:
diagnose debug reset
diagnose debug disable
diagnose debug console timestamp enable
diagnose debug app wpad 7
diagnose debug app fnbamd -1
diagnose debug duration 0
diagnose debug enable
Reproduce the issue.
diagnose firewall auth list
diagnose wireless-controller wlac -d sta online | grep <sta_mac>
diagnose firewall auth list
diagnose wireless-controller wlac -d sta online | grep <sta_mac>
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.