Created on 04-05-2022 04:55 AM Edited on 08-18-2024 04:47 PM By Stephen_G
Description
This article explains common timeout issues with FortiGate and external captive portal configuration.
Scope
FortiGate.
Solution
FortiGate offers Captive Portal authentication in the context of WiFi or interface authentication.
It also allows captive portal authentication to be redirected to an external captive portal provider, such as FortiAuthenticator or FortiNAC.
When external captive portal providers are used, the authentication happens roughly as follows:
However, depending on what external provider the FortiGate redirects to, and if a user authenticates or registers, there are a few timeouts that can come into play.
In particular:
The portal timeout:
config user settin
set auth-portal-timeout <in minutes>
end
The remote authentication timeout:
config system globa
set remoteauthtimeout <in seconds>
end
Captive Portal Redirects:
Once auth timeout (Idle or hard timeout) is expired, the user will be removed from the firewall authentication list and will not be redirected to the authentication portal automatically. Re-authenticate the user should initiate web traffic from the browser or refresh the existing website.
One workaround is to assign a default home page on the browser so that it will automatically initiate the traffic upon opening a new tab.
Important note:
FortiGate will only check any secondary authentication servers after the remote authentication timeout has passed.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.