Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
istvanmarlok
New Contributor III

Captive Portal Session timeout & Renewal Frequency

Hi All,

 

I have the following situation: I configured a guest SSID with Disclaimer Only authentication. I would like to configure the session timeout to 3 hour, and the renewal frequency to 1 hour (after the session time out, the user can not authenticate to the ssid until 1 hour). Is it possible to configure that?
I tried to configure this field from FortiManager:  captive-portal-auth-timeout

But it looks like this field doesn't exists on our Fortigate.

 

Environment: 

Fortigate40F with FortiOs 7.2.2

Fortimanager 7.2.1 OS

FortiAP 231F 7.2.1 OS

 

Thank you!

 

Best Regards,

Istvan

5 REPLIES 5
Anonymous
Not applicable

Hello Istvan 

I can refer you two useful articles related to different auth time outs, syntax might need to be changed on FMG according to syntax in the articles

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-external-captive-portal-authenti...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Chromium-based-Browsers-and-Captive-Portal...

 

Please let us know about the outcome, and if it does not work out this way

 

Regards !

Edvin 

 

 

istvanmarlok
New Contributor III

Hello,

 

Thank you, but unfortunatelly i didn't find the solution in these articles :(

I use the internal Disclaimer page on the FortiGate with no authentication. My goal is to drop the client after 2 hours, and after that the user have to Agree with the user terms again, if she/he would like to continue using our Guest network.

Other vendors call these feature like Client Session Timeout

Do you have any idea for that?

 

Thanks

Istvan

Debbie_FTNT

Hey Istvan,

the auth-portal-timeout is not for deauthenticating portal users, if I remember correctly, but how long FortiGate will wait to complete a captive-portal authentication (this can take a few minutes if external captive portals and/or user registration and/or activation links/codes are involved).

Try the following setting:
#config user setting
#set auth-timeout-type hard-timeout
#set auth-timeout 120

#end

 

This should enforce a hard-timeout after two hours.

Please note this will affect ALL users, not just captive portal users!

 

As an alternative, you can look into webfilter quotas:

https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/898834/web-filtering-using-quotas
This is an option available in proxy-mode (the vdom or webfilter profile needs to be in proxy mode); you could then set time-limits for specific or all webfilter categories to block users after they have reached the limit. The quota resets at midnight. You could set that on the policies handling captive portal traffic to ensure users going through these policies will get their access blocked after a certain amount of time.

 

As for enforcing a set time period before a user can connect again, I'm not sure this is possible; I've done a bit of research, but not found anything so far. There are some authentication blackout settings, but those only take effect after a user has failed authentication multiple times, which is not going to be the case with just a disclaimer.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
glaster
New Contributor

Did you find a solution to this?  I am currently looking for the same thing.  I want to make it where the device can connect for 8 hours, then drops connection and has to reauthenticate and agree to terms.  And mandatory agree to terms if they disconnect and then reconnect.  

istvanmarlok
New Contributor III

Hi,

Unfortunatelly I didn't find any solution for that.

Labels
Top Kudoed Authors