FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff
Article Id 208486

Description

 

This article explains common timeout issues with FortiGate and external captive portal configuration.

 

Scope

 

FortiGate.

 

Solution

 

FortiGate offers Captive Portal authentication in the context of WiFi or interface authentication.

It also allows captive portal authentication to be redirected to an external captive portal provider, such as FortiAuthenticator or FortiNAC.

 

When external captive portal providers are used, the authentication happens roughly as follows:

 

  1. FortiGate triggers captive portal authentication (it redirects a user’s HTTP request to itself).

  2. It then redirects to the external captive portal provider.

  3. The user registers and/or authenticates.

  4. The external captive portal provider reports the successful authentication back to FortiGate.

  5. FortiGate triggers RADIUS authentication to the configured RADIUS server (typically the same server that provided captive portal); this is to get group information.

  6. RADIUS authentication should be successful and return group information as applicable.

  7. FortiGate accepts or denies the authentication based on successful user authentication and group membership.

  8. If authentication is accepted, FortiGate directs the user to a specified URL or the original request.

 

However, depending on what external provider the FortiGate redirects to, and if a user authenticates or registers, there are a few timeouts that can come into play.

 

In particular:

 

The portal timeout:

  • How long the FortiGate will keep the portal authentication request (step 2/3) before considering it timed out.
  • If a user registers, not just authenticates, this usually needs to be increased.

 

config user settin
    set auth-portal-timeout <in minutes>
end

 

  • This may need to be 3-5 minutes to give a user time to register, provide the details, and confirm via email/SMS depending on the captive portal provider.

 

The remote authentication timeout:

  •  This depends on how long the FortiGate will wait for a remote server to reply before considering the authenticated to have timed out(step 5/6).
  • Depending on the RADIUS server FortiGate contacts, this may need to be increased, especially if any kind of two-factor authentication or push notification from RADIUS server is in play.

 

config system globa
    set remoteauthtimeout <in seconds>

end

 

  • This may need to be 30-120 seconds to give a user time to enter a token code or confirm a push notification when prompted.

 

Captive Portal Redirects:

Once auth timeout (Idle or hard timeout) is expired, the user will be removed from the firewall authentication list and will not be redirected to the authentication portal automatically. Re-authenticate the user should initiate web traffic from the browser or refresh the existing website. 

One workaround is to assign a default home page on the browser so that it will automatically initiate the traffic upon opening a new tab.

 

Important note:

FortiGate will only check any secondary authentication servers after the remote authentication timeout has passed.