Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff

Created on ‎05-06-2021 03:11 AM Edited on ‎11-23-2021 08:07 AM By Anonymous

Article Id 191776

Technical Tip: Chromium-based Browsers and Captive Portal authentication timeouts

Description
This article illustrates a known issue with chromium-based browsers (Chrome, Edge etc) and Captive Portal authentication on FortiGate that can cause unintended authentication timeouts.

Solution
For Captive Portal authentication, FortiGate offers a keepalive page to keep authentication active instead of timeouts.

This can be configured here:

# config system global
    set auth-keepalive enable
end

With this configured, users are presented with a keepalive page post-authentication, and directed to start browsing in a new tab, retaining the keepalive page in the background. However, this can cause unintended authentication timeouts with Chrome and chromium-based browsers.

Chrome version 88 introduced a change in how background tabs are handled.
In particular, they will be throttled, causing any scripts running on them to be executed much more slowly: https://developer.chrome.com/blog/timer-throttling-in-chrome-88/

The keepalive page FortiGate provides for authentication consists of a javascript that triggers a burst of traffic to the FortiGate to keep the connection up and running.
With the change in Chrome, this script becomes too slow and the FortiGate recognizes that a keepalive message is missing.

It will remove the user from authentication.
The user will need to authenticate again on the next connection attempt, triggering the redirect to the authentication portal.

There are a few workarounds available:

1) Use a non-chromium browser.

Any browser using a recent chromium codebase may be affected, such as Edge or Opera.
Browsers such as Firefox, using a different codebase, should not be affected unless a similar change is introduced to them at a later date.

2) Disable keepalive.

# config system global
    set auth-keepalive disable
end

With the keepalive disabled, FortiGate will instead apply configured timeouts.
The default configuration is an idle-timeout of five minutes; if the FortiGate did not receive any traffic from the user in the last five minutes, the user is de-authenticated.

This can require re-authentication after a coffee or lunch break, for example.



Related Articles

Technical Tip: Explanation of auth-timeout types for Firewall authentication users

Labels:
6173
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.