Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ahmadswelem
New Contributor

Kicking out clients after a while

Hello,

 

i have a FortiGate 60E (v5.6.3 build1547 (GA)) and i want to kick clients out of my network after 30 mins, and i don't want them to reconnect until 24 hour is passed.

 

any advice?

Thanks in advance. 

1 Solution
Fishbone_FTNT

Hi ahmadswelem, well :) I was thinking of some custom RADIUS server in python. There is excellent python-pyrad library, which you can take a look at. I have already written some smaller projects with it, so I can only recommend it. With it, you can simply create custom RADIUS server, you need just take care of passwords, and the logic of denying to accept user. It can be even quite interesting project, if you won't keep it simple :-) If you maintain passwords db on some other RADIUS server, you can eventually write some RADIUS proxy, using pyrad too. Doing the same with LDAP would be more difficult, in that case I would recommend to write it in RADIUS and handle backend authentication towards LDAP server. Quite simple, but not too simple.

Good luck,

Fishbone)(

smithproxy hacker - www.smithproxy.org

View solution in original post

7 REPLIES 7
Fishbone_FTNT

Hello,

this is not standard function of Fortigate. The first part is easy, you can specify in user settings 30 minutes timeout, and 'set auth-timeout-type hard-timeout'.

 

However to make them unable to login again for next 24 hours is not possible with FortiGate only.

I can imagine you can do some creative scripting to make work something like this, but I am not quite sure if you are looking for such a kind of solution.

 

F)(

smithproxy hacker - www.smithproxy.org

emnoc
Esteemed Contributor III

If it's was  a IPS  driven-event you could maybe write a signature witha trigger and  then set a quarantine value , but the OP needs to explain what he/she is trying to do?

 

is this a fw user ( admin ) or a network user ?

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ahmadswelem

Hi Emnoc,

 

this is a network user.

 

Fishbone_FTNT

Hi ahmadswelem, well :) I was thinking of some custom RADIUS server in python. There is excellent python-pyrad library, which you can take a look at. I have already written some smaller projects with it, so I can only recommend it. With it, you can simply create custom RADIUS server, you need just take care of passwords, and the logic of denying to accept user. It can be even quite interesting project, if you won't keep it simple :-) If you maintain passwords db on some other RADIUS server, you can eventually write some RADIUS proxy, using pyrad too. Doing the same with LDAP would be more difficult, in that case I would recommend to write it in RADIUS and handle backend authentication towards LDAP server. Quite simple, but not too simple.

Good luck,

Fishbone)(

smithproxy hacker - www.smithproxy.org

emnoc
Esteemed Contributor III

He might want to  look at freeradius or a commercial radius solution like Alepo. This concept for  forced used sessions by time/bytes/etc...is how pay-by usage  service providers do ( HOTEL HOTsPOT/Dialup/etc...)

 

I would write it by time and disable the account for 24 hours before re-enabling.

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ahmadswelem

Hi Fishbone,

 

this is quit interesting, i needed something fast to work on.

as soon as i finish my current task i will dig into it more :) .

 

Thanks for the tip Buddy.

ahmadswelem

Hi Fishbone,

 

thank you for the tip, as for the authentication part i will apply it since it make sense. 

 

if i found something for the second part i will post it here :) .

 

Thanks a lot.

Labels
Top Kudoed Authors