When administrators manually expire a guest user’s account by using the 'Expire' button under User & Authentication -> Guest Management (by right-clicking the user and then selecting 'Expire'), the guest user may remain authenticated and able to access network resources.

• This issue does not occur when the token expires naturally (i.e., after the timer expires).
• This behavior is only observed when the token is manually expired through the GUI.

Example Configuration:

Administrators create temporary user accounts with a defined expiration time to grant access to network resources. Before creating guest user accounts, a guest group must be configured. The guest user ID can be an email address, a randomly generated string, or any identifier assigned by the administrator. Passwords can also be set manually by the administrator or generated automatically. The guest group configuration controls the fields available when creating guest user accounts in Guest Management.

The configuration used in this article is explained in the administration guide.

When a user connects, the user's session appears in the authentication list:

diagnose firewall auth list
172.16.70.2, user
        src_mac: aa:bb:cc:dd:ee:11
        type: fw, id: 0, duration: 20, idled: 1
        expire: 299, allow-idle: 300
        flag(100): wsso
        server: Test1
        packets: in 61 out 84, bytes: in 38562 out 12522
        group_id: 4
        group_name: CP_Guest

After expiring the token via the GUI, the user session remains in the authentication list and still has access:

When the token is manually expired using the button, the token is shown as expired in the FortiGate GUI, but the user still appears in the CLI output of 'diagnose firewall auth list' and is able to connect with the expired token.

If the user connects with a valid token and the token then expires from the Guest Manager, the user can still connect to the captive portal because the user is already authenticated on the FortiGate.
If the same token is used from another device, the user is able to connect to the SSID.
The following is an example of an output user connecting using the same expired token 'user'.

diagnose firewall auth list
172.16.70.2, user
        src_mac: aa:bb:cc:dd:ee:11
        type: fw, id: 0, duration: 43, idled: 12
        expire: 288, allow-idle: 300
        flag(100): wsso
        server: Test1
        packets: in 91 out 132, bytes: in 49089 out 18666
        group_id: 4
        group_name: CP_Guest

If the user is removed from the auth list or dissociated from the FortiGate GUI, the user is unable to connect back with the expired token.

Removing the entry from the auth list will terminate the existing connection, preventing the user from reconnecting with the same guest credentials. Once credentials have expired, the session should be disconnected. See Technical Tip: How to de-authenticate a specific authenticated user for additional filters that can be used to specify which user(s) should be cleared.

diagnose firewall auth filter user <username>

diagnose firewall auth clear

To resolve this issue, update the FortiGate to version 7.6.4. For more details, refer to Issue 1124183 in the FortiOS Release Notes.