Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bpozdena_FTNT
Staff
Staff

Created on ‎10-02-2019 02:07 AM Edited on ‎11-13-2024 06:40 AM By Moderator

Article Id 196804

Technical Tip: Radius Accounting for SSL VPN Users

Description

 

This article describes the steps to configure FortiGate to send RADIUS Accounting messages containing usernames and IP address of SSL VPN users.

Useful links:
CLI Reference.

Scope

 

FortiGate v5.6.11+,
FortiGate v6.0.7+,
FortiGate v6.2.1+.

Solution

 

Consider the following important requirements before implementing this solution:

 

  • FortiGate should be running FortiOS versions 5.6.11+, v6.0.7+ or v6.2.1+. In earlier versions, FortiOS will report the client’s public IP address instead of the assigned tunnel IP address in the 'Framed-IP-Address' attribute value.
  • The attribute 'Framed-IP-Address' will not be included in the RADIUS Accounting-Request Start message. It will be included only in Interim-Updates and Accounting Stop message.
  • The Interim Accounting-Request will not be sent unless the radius server sends AVP: 'Acct-Interim-Interval' in the 'Access-Accept' message.
      Also, the Interim-Updates feature must be enabled on FortiGate under RADIUS profile.
  • The minimum update interval for interim accounting messages can be set to 600 seconds.

    There are two steps to complete this configuration:

 

  1. Configure SSL VPN access for RADIUS users.
    See this example.

  2. Configure FortiGate to send RADIUS Accounting:

config user radius   
    edit <RADIUS_PROFILE_NAME>   
        set server <Radius_Server_IP>             <----- Specify the IP address of the RADIUS authentication server.
        set secret <password>                     <----- Secret used to authenticate with the RADIUS authentication server.
        set acct-interim-interval 600             <----- Enable sending of Interim Accounting updates every 10 minutes.
        config accounting-server   
            edit 1   
                set status enable                 <----- Enable sending of RADIUS Accounting messages.
                set server <Radius_Server_IP>     <----- Specify the IP address of the RADIUS accounting server.
                set secret <password>             <----- Secret used to authenticate with the RADIUS accounting server.
            next   
        end   
    next   
end   

 

  1. Ensure the RADIUS server is configured to send AVP 'Acct-Interim-Interval:600' in the Access-Accept message.


Example:

 

 
Verification of Configuration:

The following packet captures show the effect of the above configuration in action.

 

11775
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.