FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
laltuzar
Staff
Staff
Article Id 288818

Description

 

This article describes troubleshooting steps for an issue that may occur when a client connecting in a particular SSID device receives a captive portal for authentication, causing the user to have to log in to the captive portal repeatedly.

 

Scope

 

FortiGate101E v7.0.11:0489, FortiAP-431F v7.0.7:0134.

 

Solution

 

All SSIDs are authenticated by Cisco ISE. The customer can login to access the Internet or network. If a user moves from one access point to another access point, the user will need to authenticate again.

Consider a case where WiFi users are using an SSID to authenticate against a Cisco ISE RADIUS Server. It all works correctly until the user roams from one AP to another or makes a change on the channel, following which the user will be de-authenticated and the authentication portal will be shown again. This means the customers need to sign in over and over again.

Diagram:


Cisco ISE --- FortiGate --- LAN --- FortiAP
FG101E v7.0.11:0489
FAP-431F v7.0.7:0134

 

To reproduce the scenario:

 

  1. Connect the user to the SSID.
  2. Enter credentials to log in.
  3. After logging in successfully, move to another area to perform roaming.
  4. The captive portal will be shown again.
  5. Re-enter credentials to log in.

 

To resolve the issue:

 

Configure the 'user setting' to set the auth-timeout to 480 minutes on FortiGate through the CLI:

 

config user setting
    set auth-timeout 480
end

 

If issue persists, open a new ticket to the TAC team, making reference to this article. Attach the following information:

 

  1. Run the following debug commands in the FortiGate CLI:


diagnose debug reset
diagnose debug disable

diagnose debug console timestamp enable
diagnose debug app wpad 7
diagnose debug app fnbamd -1
diagnose debug duration 0
diagnose debug enable


Reproduce the issue.

  1. Capture the radius packets during the test.
  2. After a client connects and passes authentication, collect the following debug output:

diagnose firewall auth list
diagnose wireless-controller wlac -d sta online | grep <sta_mac>

 

  1. Change the channel of the AP. If the client is asked to open the portal again, leave the page and collect the following output:

 

diagnose firewall auth list
diagnose wireless-controller wlac -d sta online | grep <sta_mac>

Contributors