Description
This article describes how to configure and verify the timeout for authenticated user. The objective is to de-authenticate user after specific duration. User can be the remote user of LDAP group.
Scope
FortiGate.
Solution
The hard timeout can be set in CLI:
config user setting
set auth-timeout x <----- The value of 'x' here is in minutes.
set auth-timeout-type hard-timeout <----- Make sure to select the type as hard-timeout.
end
If the user is in a group, the group timeout will be applied instead.
For group configuration.
config user group
edit "LDAPGroup"
set authtimeout y <----- the value here is in minutes.
set member "LDAPServer"
config match
edit 1
set server-name "LDAPServer"
set group-name "CN=Domain Users,CN=Users,DC=abc,DC=com”
end
end
To verify the timeout settings, run the below command:
diag firewall auth list
Results:
Wira-kvm17 # diag firewall auth list
10.204.xx.xxx, isaac, LDAPGroup
src_mac: 00:49:72:xx:xx:xx
type: fw, id: 0, duration: 8, idled: 1
expire: 52 <<<< how long before user expire
flag(4): hard <<<< timeout type
server: LDAPServer
packets: in 586 out 481, bytes: in 297789 out 122415
group_id: 2
group_name: LDAPGroup
Total allowed login time = duration + expire.
For example:
After user2 authenticated to the Firewall, its expired time will reduce to 0, and then, user2 will need to authenticate again in the web browser:
Useful commands:
diagnose firewall auth filter
clear <----- Clear all filters.
source <----- IPv4 source address.
source6 <----- IPv6 source address.
policy <----- Policy ID.
user <----- User name.
group <----- Group name.
method <----- method.
It is considered FortiGate is the DHCP server for authenticated users. If FortiGate receives 'DHCPRELEASE' from the DCHP Clients, it will clear the auth session. As a result, the authtimeout is not honored.
DHCP lease-time needs to be aligned with authtimeout.
