Description | This article describes the needed configuration between FortiGate and FortiAuthenticator to send Disconnect-Request and receive a successful Disconnect-ACK from FortiGate. |
Scope | FortiGate, FortiAuthenticator. |
Solution |
Change of Authorization or CoA allows a RADIUS server to adjust an active supplicant session based upon authorization.
2) Configure the RADIUS server on FortiGate: # config user radius edit "VMFAC001" set server "<FAC-IP>" set radius-coa enable <-- set acct-interim-interval 60 <--
# config accounting-server edit 1 set status enable set server "<FAC-IP>" set secret ENC set port 1646 <-- next 3) Add the acct-interim-interval to the User Groups on FortiAuthenticator and set the value to 60.
- FortiAuthenticator will then inform FortiGate to send accounting messages in the Access-Accept packet by sending 'Acct-Interim-Interval (85)'.
- FortiGate will include RADIUS AVP 'Framed-IP-Address' in the RADIUS Accounting 'Interim-Update' message.
When FortiAuthenticator manually/automatically disconnects a user, it will then send the disconnect-Request including the following AVPs:
- 'Framed-IP-Address (8)' collected via the interim-update (the Client IP should be displayed under Monitor -> Authentication -> RADIUS Sessions).
- 'User-Name (1)'.
Note: If FortiAuthenticator sends the Disconnect-Request including only with the AVP 'Username', FortiGate will respond back by Disconnect NAK. RADIUS CoA support has been added for SSL-VPN starting From FortiOS 7.0.0 GA. After receiving a Disconnect Request(40) from a RADIUS server, the SSL VPN daemon will search related sessions according to username and RADIUS server name to log off the specific user (including web and tunnel sessions)
Related document: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.