|
FortiGate Captive Portal can be used with Guest Accounts to give access to the internet for only a certain period of time.
Refer to the article for more details: Technical Tip: FortiGate Captive Portal with Guest Users
Ideally, once the expiry time has elapsed, the Guest account should be logged out and the internet access should be revoked.
But on some versions of FortiOS, such as 7.4, 7.6.1, and 7.6.2, the Guest user account continues to have internet access even after the Account has expired, until it is manually "Deauthenticated" via Firewall.
Once it's "Deauthenticated", as the account has been Expired, subsequent login will not work.
Solution:
This is a known issue, tracked under reported ID: 1105305, which has been resolved on FortiOS version 7.6.3.
Reference: FortiOS Release Notes: 7.6.3: Resolved Issues
Workaround:
The following steps can be configured to implement the workaround:
- Set the auth-timeout type to 'hard-timeout' instead of 'idle-timeout' in the global settings.
config user setting
set auth-timeout-type hard-timeout
end
- Set the auth-timeout value for Guest Group to the same value as the 'Expiry' Time.
config user group
edit <Guest_Group> <----- Name of Guest Group.
set authtimeout <expiry_time> <----- Expiry time (in minutes) for Guest Group.
next
end
- Increase the auth-timeout value for all users to minimize disruption. The default value is 5 minutes, but it can be adjusted to a higher value depending on the requirement, such as 24 hours (1440 minutes).
config user setting
set auth-timeout <hard-timeout-value> <----- Hard-Timeout value for rest of the users (in minutes).
end
Note: The issue is not reproducible on FortiOS version 7.2.10 and below.
Related article:
Technical Tip: Explanation of auth-timeout types for Firewall authentication users
|
