Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

Accounting to FortiAuthenticator and user usage profiles

Hello Friends.

I have followed the exact steps described in the below KB.

The user is successfully authenticated to the SSID and is viewed on the Fortigate as a firewall user (#dia firewall auth list)

I can see from packet capture that FG is sending the interm accounting messages to FAC on the specified period  and I see the ACC response packets from fAC in the sniffer.

 

However, on FAC -- monitor --- radius sessions I see 0 accounting sessions.

When I view user usage details : it is not counting anything and the user is not disconnected when reaching the max kilobytes specified in the suer profile.

 

I am not sure what I am missing here.

 

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Usage-Profiles-not-enforced-for-R...

 

 

1 Solution
Markus_M

Hello,

 

please also check this one (that should match the ports you are using):

2022-08-24_18-05-51.png

Best regards,

 

Markus

View solution in original post

6 REPLIES 6
Markus_M
Staff
Staff

Hello Akmostafa,

 

there must be an "Accounting Start" packet as well, prior to the interim updates, which should contain only the updates to the session.

Under your FortiAuthenticator debug, you should see (https://fac-ip/debug) a section for RADIUS accounting. Check this one to see what is done with the respective sessions.

 

Best regards,

 

Markus

Akmostafa
New Contributor III

I verified RADIUS accounting start is sent. (See snapshot , note the duplicate packets are due to that I am capturing from Fortigate and the packets are being caputured many times due to packet seeing on input and output interfaces)

On the debugs I can only see the below lines:

 

08/21/2022 14:23:25 [588305792] FortiAuthenticator rad_accounting [1260] [DEBUG]: [Maintenance] Publish accounting state to file
08/21/2022 14:23:25 [588305792] FortiAuthenticator rad_accounting [1260] [INFO]: Updated accounting sessions file. Status = 0
08/21/2022 14:23:55 [588305792] FortiAuthenticator rad_accounting [1260] [DEBUG]: [Maintenance] Save expired accounting sessions to DB
08/21/2022 14:24:22 [588305792] FortiAuthenticator rad_accounting [1260] [DEBUG]: [Maintenance] Publish accounting state to file
08/21/2022 14:24:22 [588305792] FortiAuthenticator rad_accounting [1260] [INFO]: Updated accounting sessions file. Status = 0
08/21/2022 14:24:22 [588305792] FortiAuthenticator rad_accounting [1260] [DEBUG]: [Maintenance] Publish accounting state to file
08/21/2022 14:24:22 [588305792] FortiAuthenticator rad_accounting [1260] [INFO]: Updated accounting sessions file. Status = 0
08/21/2022 14:25:36 [588305792] FortiAuthenticator rad_accounting [1260] [INFO]: Updated accounting sessions file. Status = 0
08/21/2022 14:28:36 [588305792] FortiAuthenticator rad_accounting [1260] [DEBUG]: [Maintenance] Publish accounting state to file
08/21/2022 14:28:36 [588305792] FortiAuthenticator rad_accounting [1260] [INFO]: Updated accounting sessions file. Status = 0
08/21/2022 14:28:36 [588305792] FortiAuthenticator rad_accounting [1260] [DEBUG]: [Maintenance] Publish accounting state to file

 

accnt.PNG

Markus_M

Hi,

 

do you have accounting enabled on the interface?

Accounting MonitorAccounting Monitor

Best regards,

 

Markus

Akmostafa
New Contributor III

hello, enabled:

Also I can see from the debugs vie the following line (after restarting FAC:

 

08/22/2022 13:49:15 [4267148672] FortiAuthenticator rad_accounting [1263] [DEBUG]: Caches and queues initialized
08/22/2022 13:49:15 [4267148672] FortiAuthenticator rad_accounting [1263] [DEBUG]: Initializing snd module
08/22/2022 13:49:15 [4267148672] 
 rad_accounting [1263] [DEBUG]: Loading source [172.16.14.1-172.16.14.1] into source tree

acc.pngacc2.png

 

 

Below RADIUS config on Foritgate: (secret line ommited)

 

config user radius
edit "fac"
set server "172.16.14.9"
set acct-interim-interval 60
set radius-coa enable
config accounting-server
edit 1
set status enable
set server "172.16.14.9"
next
end
next

Markus_M

Hello,

 

please also check this one (that should match the ports you are using):

2022-08-24_18-05-51.png

Best regards,

 

Markus

Akmostafa
New Contributor III

Thank you alot.

It works now.

I have never thought that FAC is listening on a different port rather than 1813.

 

Labels
Top Kudoed Authors