This article describes how to extend the captive portal user retention to a period of 30 days (maximum).
FortiGate v7.x.
By default, the captive portal auth timeout is set to 5 minutes and can be extended for a maximum of one day.
In this case, the users are forced to re-authenticate every day.
config user setting
set auth-timeout 1 to 1440 (default = <5>)
end
To extend the timeout, it is possible to change the auth-timeout-type to hard-timeout, and increase the auth timeout to 43200 in a user group. Note that a hard-timeout option cannot be applied without user-groups, or only to the captive-portal.
When hard-timeout is selected, the timer configured in the group will take precedence.
config user setting
set auth-cert "star_forti_lab"
set auth-on-demand always
set auth-timeout 1
set auth-timeout-type hard-timeout
end
config user group
edit "local"
set authtimeout 43200
set member "testa"
next
end
It is possible to verify the time left in the GUI under the Firewall user monitor or by using the following command:
diag firewall auth list
10.102.0.2, testa
src_mac: 00:63:68:61:09:01
type: fw, id: 0, duration: 1135, idled: 6
expire: 2590866 <- Timer (counting downward to 0) gets reflected as per the local group created.
flag(804): hard no_idle
packets: in 1640 out 758, bytes: in 1791859 out 99346
user_id: 16777222
group_id: 4
group_name: local
In cases when the authentication times out earlier than configured values, possible reasons include:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.