Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ismailurek2
New Contributor III

Created on ‎01-01-2025 04:03 AM

FortiAuthenticator Usage Profile Not running

Hello, 

 

I want to limit the VPN connection of local or imported ldap user as data and time using usage profile on FortiAuthenticator. I am listening on 1646 radius acconting. 1646 port is open on FortiGate and FortiAuthenticator. When the user exceeds the specified limit, no warning and interruption is observed. Can anyone realize this application or have any suggestions? By the way, when the user connects, I cannot see any session in Monitor > Radius Session field.

 

I have followed all the warnings in this document:

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Usage-Profiles-not-enforced-for-R...

 




Labels:
345
0 Kudos
7 REPLIES 7
ebilcari
Staff
Staff

Created on ‎01-02-2025 12:54 AM

Firstly you can run a packet capture in FAC to verify that indeed the Accounting messages are reaching FAC. Later you can check from the debugs, https://fac/debug/ [Accounting Monitor] logs to get a better overview on what is happening.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
271
ismailurek2
New Contributor III
In response to ebilcari

Created on ‎01-02-2025 11:16 AM

Hi @ebilcari ,

When I look at the accounting monitor, I get an invalid error in this way. I do not have information about which field to apply the secret I set for accounting on the FortiGate side on the FortiAuthenticator side.

 

image.png

244
0 Kudos
ebilcari
Staff
Staff
In response to ismailurek2

Created on ‎01-03-2025 03:06 AM

The secret for accounting messages should be the same as the one used for authentication, remember to also enable this toggle:

shared-acc.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
225
0 Kudos
ismailurek2
New Contributor III
In response to ebilcari

Created on ‎01-09-2025 11:03 AM

Hi @ebilcari ,

 

We did it the way you described, but there was no solution.

 

In the document I mentioned above, the hashes of the secret parts on the FortiGate side look different. Could the equivalent of secret be in a different place in FortiAuthenticator?

image.png

Regards

191
0 Kudos
ebilcari
Staff
Staff
In response to ismailurek2

Created on ‎01-10-2025 12:35 AM

The hashes will appear different in FGT even when the same secret is used. Try to set the same secret for accounting again. I did a quick test in the lab and the configuration went straight forward (SSLVPN user):

 

acc.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
172
0 Kudos
ismailurek2
New Contributor III
In response to ebilcari

Created on ‎01-10-2025 12:49 AM

Hi @ebilcari,

In the current case with Fortinet TAC, they had the same problem as us and they are now trying to solve it. Secret was entered the same and when tested it did not work again. Do you have the possibility to share your configurations related to Radius and usage profile?

 

Regards

159
0 Kudos
ismailurek2
New Contributor III
In response to ismailurek2

Created on ‎01-14-2025 07:16 AM

@ebilcari Hello,

That's how we got a response from TAC. As far as I understand, by design, there is no disconnection after exceeding the quota in this way. Could I have been misdirected?

 

"I found that by design, there won't be any disconnect message/action if the user exceeds the quota whilst it is connected.

This is not a software issue you're dealing with. If you need this to be changed, please discuss with your Sales Rep the prospect of a feature/change request.

Once the user exceeded the quota, shouldn't be allowed to connect anymore after it disconnects. That is how this feature works.
It is unclear from the docs if this should work with sslvpn also, or it only works with captive portal."

 

Regards

106
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.