Description
The purpose of this article is to show an example of how a usage profile is used and why it may not work.
Scope
FortiGate v6.4+.
FortiAuthenticator v6.4.6.
Solution
Usage profiles are a tool available in FortiAuthenticator to enforce specific time or bandwidth limits on users: when the limits are exceeded, the user account is disabled and disconnected from the RADIUS client. This relies on RADIUS Accounting.
Note: Usage Profiles are only enforceable for local users and, starting in 6.5, imported LDAP users. Usage Profiles are NOT enforceable for remote LDAP users!
In this example, a FortiGate will act as RADIUS client, hosting a guest portal for Wi-Fi users. The guest users are redirected by the FortiGate to the FortiAuthenticator in order to authenticate.
RADIUS is used to communicate user information such as initiating IP (Framed-IP-Address), group membership (Fortinet-Group-Name) or other attributes.
Once a user is authenticated on the FortiAuthenticator, FortiGate, as RADIUS client, will receive the information with an Access-Accept and know that traffic originating with this IP will belong to the authenticated user.
Firewall policies can now be matched with this user group defined as the source.
The usage profile defines the usage or quota of these accounts:
Usage profiles are assigned to user groups and apply to all members of the group:
For the Usage Profile to be enforceable, FortiAuthenticator needs to receive updated usage information to determine data and time usage for authenticated sessions. Since there is no traffic traversing through the FortiAuthenticator, it needs to receive that information from the RADIUS client in the form of RADIUS Accounting Messages (in this example, FortiGate will be the source).
RADIUS Accounting messages are separate from the original RADIUS Authentication exchange. Accounting uses port 1646 or 1813.
In FortiAuthenticator, Accounting messages received on port 1813 are used for RADIUS SSO (pulling information from Accounting messages and generating an FSSO user session from that), and messages received on port 1646 are used for RADIUS Accounting Monitor: Usage Profile enforcement.
To configure this properly, enable 'Accept RADIUS accounting messages for usage enforcement' in the Radius Client configuration and add the RADIUS Attribute 'Acct-Interim-Interval' (Accounting interim update interval, how often the RADIUS client should send accounting updates for the user) in the User Group.
- FortiGate is the Radius Client:
Enable 'Accept RADIUS accounting messages for usage enforcement' and the 'Support RADIUS Disconnect messages'. The second option is important to ensure FortiAuthenticator can send the Disconnect messages to forcibly log off a user.
- Add the Acct-Interim-Interval parameter to the user group:
The default interval value is 600 seconds (10 minutes). For this example, 60 seconds will be used.
- Check the Accounting monitor port under Authentication -> RADIUS Service -> Service:
By default, port 1646 is used.
- Make sure 'RADIUS Accounting Monitor' is enabled in the interface used to reach the Radius Client:
- On the FortiGate side, configure the Accounting Server under Radius settings as follows:
config user radius
edit "FortiAuthenticator"
set server "192.168.6.211"
set secret ENC 4tlaR3pD8xERRAslYDbOlIKAnR75+
set acct-interim-interval 60 <--
set radius-coa enable <--
set password-renewal disable
config accounting-server <--
edit 1
set status enable
set server "192.168.6.211"
set secret ENC GxkarqHcAInRPfP4PJY1g
set port 1646 <--
next
end
next
end
The interval duration is the same set on FortiAuthenticator.
Note: FortiAuthenticator does not count the time usage by itself and logs off a user. FortiGate will send the Accounting Session information as per the interval set. When the user reaches the Usage Settings defined in the Usage Profile, FortiAuthenticator sends an Accounting-Disconnect message to the FortiGate, and FortiGate logs off the user and clears all related traffic sessions.
Without RADIUS Accounting, FortiAuthenticator would have no visibility of the user's activities (time/bandwidth usage) and could not enforce the profiles.
- When the user authenticates via Captive Portal, it is possible to see the session information on FortiAuthenticator:
Monitor -> Authentication -> RADIUS Sessions.
When the threshold is reached (Time Usage or Data Usage) the user is automatically logged off. It is also possible to log off the user manually through the Logoff button.
- The session information is recorded in the Cumulative tab:
- Once logged off, the user receives the 'Usage limit exceeded' status. It can not authenticate with this status:
- To re-enable the user, select the option below: