Technical Tip: After auth-timeout reaches to the setting value, 'Time Left' value becomes 47721 day(s)

1. When configuring auth-timeout with auth-timeout-type hard-timeout with firewall policy with user authentication setting as below.

For example:

config user setting

    set auth-cert "Fortinet_Factory"

    set auth-timeout 960

    set auth-timeout-type hard-timeout

end

config firewall policy

    edit <firewall policy ID>

        set srcintf "port6"

        set dstintf "port1"

        set action accept

        set srcaddr "Wireless"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set nat enable

        set groups "UserRadius"

    next

end

config user group

    edit "UserRadius"

        set auth-concurrent-override enable

        set auth-concurrent-value 3

        set member "Radius5"

    next

config user radius

    edit "Radius5"

        set server "192.168.15.95"

        set secret ENC nXCrGfGIBgskHBZHTbxDGFKA9P2zhi3uAzdFRTnkRLzMAV6rp/f2820eEDfCO0r+NSuWbXHP70pSqe/iGMmN+9aTbOHsPSXUylX1Y/b+bYsTJZXmne63gzybEs7L02A/jF3OIRxKVv2cF14lmd54u3ALO/Di/cR3Aqn2klFwLOO4FovEM+sNwap5v+O5ybxw/bAppg==

        set password-renewal disable

    next

end

2. The user can log in and the user can access to Internet properly.

• Go to Dashboard -> Users & Devices -> Firewall Users -> Time Left.
• Make sure that making right-click on 'User Name' column and tick to enable 'Time Left' column.

• After auth-timeout reaches to the setting value (960 for this setting.). “Time Left” of the user will be reduced until 0 second. Then 'Time Left' value becomes 47721 day(s), 20 hour(s), 36minute(s) and xx second(s).
• The username still shows under Dashboard -> Users & Devices -> Firewall Users with 'Time Left' showing as 47721 day.

The device of that username can not access to internet. When the user tries to access to Internet, it doesn’t have 'log-in' page to pop up for the user to log in again.

To fix:

1. For Workaround:

Go to Dashboard -> Users & Devices -> Firewall Users -> Choose the user focusing on (the one with 'Time Left' : 47721 day(s)) -> Select the Deauthenticate' button.

When the user tries to access to Internet ,then 'log-in' page will show up for the user to be able to fill up username and password to access to Internet again.

2. For permanent fix:

It is necessary to upgrade FortiGate firmware version to be v7.4.4 and above.

Do so under Dashboard -> Users & Devices -> Firewall Users -> Time Left.

After auth-timeout reaches the setting value, the 'Time Left' of the user will be reduced until 0 second and that username will disappear. Session is removed from authentication list.

When the user tries to access to Internet, the 'log-in' page will show up for the user to be able to fill up username and password to be able to access to Internet again.