Description

This article describes how to provide the configuration steps necessary to ensure FortiGate can send RADIUS accounting packets to multiple accounting servers.

Scope

FortiGate.

Solution

FortiGate can generate RADIUS accounting messages for VPN clients or WiFi clients, and send them to RADIUS accounting servers.

It will send accounting packets to a configured accounting server if the following conditions are met:

• The user is subject to accounting authentication via a RADIUS server.
• The accounting server is configured within the RADIUS server object.

config user radius

    edit "FAC"

        set server "10.0.0.1"

        set secret ENC XXX

        set acct-interim-interval 600

        set auth-type ms_chap_v2

        config accounting-server

            edit 1

                set status enable

                set server "10.0.0.1"

                set secret XXX

                set port 1813

            next

            edit 2

                set status enable

                set server "192.18.1.99"

                set secret XXX

                set port 1813

            next

        end

    next

end

For the FortiGate to send interim updates, it must have first received an Accounting-Interim-Interval attribute from the accounting server, either during initial Access-Request/Access-Accept, or within the Accounting response.

More details can be found here, for example Technical Tip: Radius Accounting for SSL VPN Users

By default, FortiGate will only send to one accounting server, even if multiple accounting servers are configured.

There is a CLI setting to ensure FortiGate sends to all configured accounting servers:

(# config vdom)

(# edit <vdom>)

config user radius

edit <radius server>

set acct-all-servers enable

end