Description
This article describes how to provide the configuration steps necessary to ensure FortiGate can send RADIUS accounting packets to multiple accounting servers.
Solution
FortiGate can generate RADIUS accounting messages for VPN client or WiFi clients, and send them to RADIUS accounting servers.
It will send accounting packets to a configured accounting server if the following conditions are met:
- The user subject to accounting authenticated via a RADIUS server.
- The accounting server is configured within the RADIUS server object.
# config user radiu
edit "FAC"
set server "10.0.0.1"
set secret ENC XXX
set acct-interim-interval 600
set auth-type ms_chap_v2
config accounting-server
edit 1
set status enable
set server "10.0.0.1"
set secret XXX
set port 1813
next
edit 2
set status enable
set server "192.18.1.99"
set secret XXX
set port 1813
next
end
next
end
For the FortiGate to send interim updates, it must have first received an Accounting-Interim-Interval attribute from the accounting server, either during initial Access-Request/Access-Accept, or within the Accounting response.
More details can be found here, for example: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Radius-Accounting-for-SSL-VPN-Users/ta-p/1...
By default, FortiGate will only send to one accounting server, even if multiple accounting servers are configured.
There is a CLI setting to ensure FortiGate sends to all configured accounting servers:
(# config vdom)
(# edit <vdom>)
# config user radius
# edit <radius server>
# set acct-all-servers enable
# end
