Description
This article describes how to extend the captive portal user retention to a period of 30 days (maximum).
Scope
FortiGate v7.x.
Solution
By default, the captive portal auth timeout is set to 5 minutes and can be extended for a maximum of one day.
In this case, the users are forced to re-authenticate every day.
config user setting
set auth-timeout 1 to 1440 (default = <5>)
end
To extend the timeout, it is possible to change the auth-timeout-type to hard-timeout, and increase the auth timeout to 43200 in a user group. Note that a hard-timeout option cannot be applied without user-groups, or only to the captive-portal.
When hard-timeout is selected, the timer configured in the group will take precedence.
config user setting
set auth-cert "star_forti_lab"
set auth-on-demand always
set auth-timeout 1
set auth-timeout-type hard-timeout
end
config user group
edit "local"
set authtimeout 43200
set member "testa"
next
end
It is possible to verify the time left in the GUI under the Firewall user monitor or by using the following command:
diag firewall auth list
10.102.0.2, testa
src_mac: 00:63:68:61:09:01
type: fw, id: 0, duration: 1135, idled: 6
expire: 2590866 <- Timer (counting downward to 0) gets reflected as per the local group created.
flag(804): hard no_idle
packets: in 1640 out 758, bytes: in 1791859 out 99346
user_id: 16777222
group_id: 4
group_name: local
In cases when the authentication times out earlier than configured values, possible reasons include:
- Wireless adapter's Mac address randomization - The client host could change the Mac address before connecting to the network (in most cases with a wireless connection).
- IP address lease time out - FortiGate renews the IP address for the host (since the host is not responding, the DHCP server releases the IP address). See this article.
