Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
smxko
New Contributor II

Created on ‎11-28-2024 06:55 AM Edited on ‎11-28-2024 06:56 AM

Extend disclaimer only timeout

Hi,

we have a VLAN on a 40F that is being provided through some 3rd party access points. We enabled the disclaimer portal for that VLAN for guest access. We don't want them to type in an E-Mail or provide guest accounts.

The disclaimer portal works well but we need to extend the (idle) timeout to more than 300 seconds.

Where can I do that? None of the settings seem to alter that value.

 

I tried:

config user setting > set auth-timeout X

config wireless-controller timers > set client-idle-timeout X
config system settings > set auth-timeout X

 

In this article using a mail collection portal, it is somehow set to 10 days (864000) by default

Retail environment guest access | FortiGate / FortiOS 7.6.0 | Fortinet Document Library

 

But mine always looks like this:

192.168.3.17
        src_mac: 98:69:8a:XX:XX:XX
        type: disclaimer, id: 14, duration: 368, idled: 210
        expire: 90, allow-idle: 300
        flag(1000): src_idle
 
How can allow-idle be modified or set to a hard timeout?
 
Thanks a lot
Labels:
951
0 Kudos
1 Solution
Duka
New Contributor II
In response to smxko

Created on ‎12-11-2024 12:38 AM

Hi,
this can be solved with the following configuration:

 

Create Dummy User

config user local
edit "CaptivePortal"
set type password
set passwd-time ***
set passwd ENC ***
next
end

 

Create Group with the desired timeout (in this case 14 days of non-use)

config user group
edit "CaptivePortalUsers"
set authtimeout 20160
set member "CaptivePortal"
next
end

 

Activate captive portal on the interface

config system interface
edit "lan1"
set vdom "root"
set ip ***
set allowaccess ping
set type physical
set alias "lan"
set security-mode captive-portal
set security-groups "CaptivePortalUsers"
set device-identification enable
set role lan
set snmp-index 2
next
end

 

Customize the HTML page (System -> Replacment Messages -> Login Page) so that the values of the variables USERNAMEID and PASSWORDIT are predefined and hidden.

<input name="%%USERNAMEID%%" id="ft_un" type="hidden" autocorrect="off" autocapitalize="off" value="CaptivePortal">
<input name="%%PASSWORDID%%" id="ft_pd" type="hidden" autocomplete="off" value="Password">

 

Check with

diag firewall auth list

 

****, CaptivePortal

        src_mac: ******

        type: fw, id: 0, duration: 553, idled: 3

        expire: 1209597, allow-idle: 1209600

        packets: in 11556 out 4997, bytes: in 10975870 out 1244385

        user_id: 16777218

        group_id: 2

        group_name: CaptivePortalUsers

 

Best Regrads

Patrick

View solution in original post

702
0 Kudos
9 REPLIES 9
sjoshi
Staff
Staff

Created on ‎11-28-2024 10:12 AM

How can allow-idle be modified or set to a hard timeout? >> this can be changed under config user settings
 
Salon Raj Joshi
Fortinet Certified Expert (FCX) | #NSE8-003459
920
smxko
New Contributor II
In response to sjoshi

Created on ‎11-29-2024 12:26 AM

This is unfortunately limited to 1440 minutes. Is there a way to set it to 10 days as in the link I shared?

880
0 Kudos
sjoshi
Staff
Staff
In response to smxko

Created on ‎11-29-2024 12:51 AM

Time out can be increased till 30 days but in this case you need to set the timeout under user group

Refer:-

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-timeout-setting-on-global-u....

Salon Raj Joshi
Fortinet Certified Expert (FCX) | #NSE8-003459
870
smxko
New Contributor II
In response to sjoshi

Created on ‎11-29-2024 12:59 AM

Thanks! But how can I ensure that foreign users that only accept the disclaimer are automatically placed in that user group with the new defined timeout?

865
0 Kudos
smxko
New Contributor II
In response to smxko

Created on ‎11-29-2024 04:06 AM

I think it is not possible, it just edited the email collector portal to look like the disclaimer only portal and everytime a user accepts the terms, a dummy mail address gets passed to FGT. Works well so far.

830
0 Kudos
Duka
New Contributor II
In response to smxko

Created on ‎12-11-2024 12:38 AM

Hi,
this can be solved with the following configuration:

 

Create Dummy User

config user local
edit "CaptivePortal"
set type password
set passwd-time ***
set passwd ENC ***
next
end

 

Create Group with the desired timeout (in this case 14 days of non-use)

config user group
edit "CaptivePortalUsers"
set authtimeout 20160
set member "CaptivePortal"
next
end

 

Activate captive portal on the interface

config system interface
edit "lan1"
set vdom "root"
set ip ***
set allowaccess ping
set type physical
set alias "lan"
set security-mode captive-portal
set security-groups "CaptivePortalUsers"
set device-identification enable
set role lan
set snmp-index 2
next
end

 

Customize the HTML page (System -> Replacment Messages -> Login Page) so that the values of the variables USERNAMEID and PASSWORDIT are predefined and hidden.

<input name="%%USERNAMEID%%" id="ft_un" type="hidden" autocorrect="off" autocapitalize="off" value="CaptivePortal">
<input name="%%PASSWORDID%%" id="ft_pd" type="hidden" autocomplete="off" value="Password">

 

Check with

diag firewall auth list

 

****, CaptivePortal

        src_mac: ******

        type: fw, id: 0, duration: 553, idled: 3

        expire: 1209597, allow-idle: 1209600

        packets: in 11556 out 4997, bytes: in 10975870 out 1244385

        user_id: 16777218

        group_id: 2

        group_name: CaptivePortalUsers

 

Best Regrads

Patrick

703
0 Kudos
smxko
New Contributor II
In response to Duka

Created on ‎12-16-2024 03:30 AM

Thanks, this actually works. Is there a limit on how many clients can authenticate using the same account and how much users FortiGate can handle in total? 

634
0 Kudos
Duka
New Contributor II
In response to smxko

Created on ‎12-16-2024 03:49 AM

I will only activate the described configuration next week (approx. 300 users on FG40F), so I can't say anything specific about it yet. So far I haven't had any problems when testing with 5 simultaneous devices with the same username. However, the maximum number of users probably depends on the model. You can find an overview here: https://docs.fortinet.com/max-value-table. However, I was unable to find out which specific value is used.

626
0 Kudos
smxko
New Contributor II
In response to Duka

Created on ‎12-16-2024 04:58 AM

Might be the variable user.local but that only states how much users can be stored and not how many can be logged in simultaneously. I think the limit isn't hard coded  per model but dependent on system resources.

620
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.