This article explains common timeout issues with FortiGate and external captive portal configuration.
FortiGate offers Captive Portal authentication in the context of WiFi or interface authentication.
It also allows captive portal authentication to be redirected to an external captive portal provider, such as FortiAuthenticator or FortiNAC.
When external captive portal providers are used, the authentication happens roughly as follows:
1) FortiGate triggers captive portal authentication (it redirects a user’s HTTP request to itself).
2) It then redirects to the external captive portal provider.
3) The user registers and/or authenticates.
4) The external captive portal provider reports the successful authentication back to FortiGate.
5) FortiGate triggers RADIUS authentication to the configured RADIUS server (typically the same server that provided captive portal); this is to get group information.
6) RADIUS authentication should be successful and return group information as applicable.
7) FortiGate accepts or denies the authentication based on successful user authentication and group membership.
8) If authentication is accepted, FortiGate directs the user to a specified URL or the original request.
However, depending on what external provider the FortiGate redirects to, and if a user authenticates or registers, there are a few timeouts that can come into play.
The portal timeout:
- How long the FortiGate will keep the portal authentication request (step 2/3) before considering it timed out.
- If a user registers, not just authenticates, this usually needs to be increased.
# config user settin
set auth-portal-timeout <in minutes>
-> This may need to be 3-5 minutes to give a user time to register, provide the details, and confirm via email/SMS depending on the captive portal provider.
The remote authentication timeout:
- How long the FortiGate will wait for a remote server to reply before considering the authenticated to have timed out(step 5/6).
- Depending on the RADIUS server FortiGate contacts, this may need to be increased, especially if any kind of two-factor authentication or push notification from RADIUS server is in play.
# config system globa
set remoteauthtimeout <in seconds>
-> This may need to be 30-120 seconds to give a user time to enter a token code or confirm a push notification when prompted.
FortiGate will only check any secondary authentication servers after the remote authentication timeout has passed!