Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
js2
Staff
Staff

Created on ‎09-11-2024 04:51 AM Edited on ‎07-25-2025 12:14 AM By Community Manager

Article Id 340621

Technical Tip: RADIUS accounting interim updates not received

Description

 

This article describes a use case involving RADIUS accounting for captive portal users. In this scenario, although RADIUS accounting messages were received, interim updates were not functioning as expected.

For the FortiGate to send interim updates, it must first receive the 'Accounting-Interim-Interval' attribute from the RADIUS server in the initial 'Access-Accept' response to the 'Access-Request' message.

 

Topology:
User -> L2 switch -> port1---FortiGate---port2 -> Internet -> AAA server.

 

Scope

 

FortiGate.

 

Solution

 

Step 1. Run a packet capture for the RADIUS server and check for the 'Access-Accept' message:

 

diagnose sniffer packet any "host x.x.x.x" 6 0 l <----- x.x.x.x would be the Radius server IP.


In Wireshark packet capture, the attribute for "Accounting-Interim-Interval" is missing in the 'Access-accept' message.

 

RADIUS Protocol
Code: Access-Accept (2)
Packet identifier: 0xb5 (181)
Length: 56
Authenticator: fcb1ad16f2b48de12057ec4ea51db2a2
Attribute Value Pairs ------> No attribute from Acct-Interim-Interval
AVP: t=Idle-Timeout(28) l=6 val=600
AVP: t=Vendor-Specific(26) l=12 vnd=Wireless (14122)
AVP: t=Vendor-Specific(26) l=12 vnd=Wireless (14122)
AVP: t=Session-Timeout(27) l=6 val=86400


Note:

The Interim Accounting-Request will not be sent unless the radius server sends AVP: 'Acct-Interim-Interval' in the 'Access-Accept' message.

 

Step 2. Enable the attribute on the server:

 

AppendRadiusReplyAttribute
Acct-Interim-Interval=60


Step 3. Run a packet capture again, and the attribute received for 'Acct-Interim-Interval' should be visible.


RADIUS Protocol
Code: Access-Accept (2)
Packet identifier: 0xa9 (169)
Length: 62
Authenticator: 46392a5f4f9e936319e3afcca643df7a
Attribute Value Pairs
AVP: t=Idle-Timeout(28) l=6 val=600
AVP: t=Vendor-Specific(26) l=12 vnd=Wireless (14122)
AVP: t=Vendor-Specific(26) l=12 vnd=Wireless (14122)
AVP: t=Session-Timeout(27) l=6 val=86400
AVP: t=Acct-Interim-Interval(85) l=6 val=60 ------>Attribute received
Type: 85
Length: 6
Acct-Interim-Interval: 60

 

Related article:

Technical Tip: Radius Accounting for SSL VPN Users

1308
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.