Hi. Recently set up a captive portal with external authentication portal
FortiGate-40F
v7.4.1 build2463 (Feature)
Security mode: Captive Portal
Portal type: Authentication
Authentication Portal: External
Traffic mode: Tunnel
FortiGate acts as DHCP server
"Client MAC Address Filtering" radius not enabled.
Radius accounting is enabled on SSID and all other possible interfaces.
Authentication process works correctly.
We are receiving accounting updates only on connect and disconnect.
No interim-accounting is received at specified interval.
Specified in config file:
set acct-all-servers enable
set acct-interim-interval 60
Also passing set acct-interim-interval := 60 in radreply
Accounting is also under reporting usage. Less than 10% of actual usage being reported once session is terminated and final account-update is received.
Test session lasting 180 seconds with a 256MB test file yields this:
acct-input-octets = 17645
acct-output-octets = 9427
Repeated test with different vendor and accounting is spot on.
What are we missing here?
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @dietersmith
Make sure that Radius attribute "Class" is being send from the client in accounting request packets when client connects on WIFI. If that attribute is missing FGT may fail to put the client to proper group. You can try to run packet capture on FGT and sniffer packet on port 1813 to understand it better .
Hi @rbraha
Thank you for your previous reply.
You were correct in your assumption that Class attribute was not being sent to FortiGate by radius server.
Have amended radius config and we now pass a Class attribute as well as previously defined Acct-Interim-Interval attribute.
(15) Sent Access-Accept Id 241 from 51.x.x.x:4046 to 93.x.x.x:52892 length 0
(15) Class = 0x4141414141
(15) Acct-Interim-Interval = 60
(15) Finished request
This is also visible on controller packet capture.
In Accounting-Request:
(16) Received Accounting-Request Id 242 from 93.X.X.X:58016 to 51.X.X.X:1813 length 235
(16) Acct-Status-Type = Start
(16) Event-Timestamp = "Nov 13 2023 15:00:57 UTC"
(16) Acct-Session-Id = "2d65e439"
(16) User-Name = "Ds"
(16) Acct-Multi-Session-Id = "94:f3:92:9d:52:70-1699887641"
(16) NAS-Identifier = "FortiGate-40F"
(16) Framed-IP-Address = 10.23.23.2
(16) Fortinet-Client-IP-Address = 10.23.23.2
(16) Fortinet-Vdom-Name = "root"
(16) Attr-26.12356.7 = 0x666f7274696e65742d6374726c2d6370
(16) Attr-26.12356.8 = 0x4f66666963652054657374204150
(16) NAS-IP-Address = 10.23.23.1
(16) Called-Station-Id = "94-F3-X-X-X-X:fortinet-ctrl-cp"
(16) Calling-Station-Id = "F4-3B-X-X-X-X"
(16) Class = 0x4141414141
Results for Session-Id: 2d65e439. 1.2 Gig downloaded in session.......
{
"radacct": [
{
"radacctid" : 19,
"acctsessionid" : "2d65e439",
"acctuniqueid" : "2fe8e5bb3579f8d1a618949763b8c947",
"username" : "Ds",
"realm" : "",
"nasipaddress" : "10.23.23.1",
"nasportid" : "",
"nasporttype" : "",
"acctstarttime" : "2023-11-13T15:00:57.000Z",
"acctupdatetime" : "2023-11-13T15:12:57.000Z",
"acctstoptime" : "2023-11-13T15:14:11.000Z",
"acctinterval" : 180,
"acctsessiontime" : 794,
"acctauthentic" : "",
"connectinfo_start" : "",
"connectinfo_stop" : "",
"acctinputoctets" : 312286,
"acctoutputoctets" : 171304,
"calledstationid" : "94-F3-X-X-X-X:fortinet-ctrl-cp",
"callingstationid" : "F4-3B-X-X-X-X",
"acctterminatecause" : "Host-Request",
"servicetype" : "",
"framedprotocol" : "",
"framedipaddress" : "10.23.23.2",
"framedipv6address" : "",
"framedipv6prefix" : "",
"framedinterfaceid" : "",
"delegatedipv6prefix" : ""
}
]}
Acct-Interim not updating at specified interval: 180s in radius config. 60s in attribute.
Accounting not reporting usage.
Any ideas?
Hi @dietersmith
By default FGT will send the first Account interim after 600 sec, configuring less than that it may fail to send this acc-interim update
Try to make the change as follow for your SSID
config wireless-controller vap
edit "vap"
set ssid "your SSID"
set security wpa2-only-personal+captive-portal
set passphrase ENC *
set acct-interim-interval 600 <----
set selected-usergroups "Guest-group"
set schedule "always"
next
end
Check again with pcap on FGT side if it will be any Acc-Interim interval
Hi @rbraha
FortiGate-40F (Forti-CP-Test) # set acct-interim-interval 600
command parse error before 'acct-interim-interval'
Command fail. Return code -61
Seems like its not implemented here.
Here is current config for VAP:
FortiGate-40F (Forti-CP-Test) # show
config wireless-controller vap
edit "Forti-CP-Test"
set ssid "fortinet-ctrl-cp"
set security wpa2-only-personal+captive-portal
set external-web "https://portals.xxxx.xxxxxxxxx.com/captivePortal/36372535"
set passphrase ENC XXX
set selected-usergroups "Radius-CP_Guests"
set security-exempt-list "Forti-CP-Test-exempt-list"
set security-redirect-url "https://portals.xxxxx.xxxxxxxx.net/captivePortal/successpage/36372535"
set schedule "always"
set address-group-policy allow
next
end
Not sure its supported here.
Thanks for the help so far.
Hi @rbraha Could we please get this converted to a support ticket?
We are under pressure to make this work.
Thank you kindly.
@fortigate support.
Please respond.
Hey dietersmith,
please note that we cannot easily convert a Forum thread to a support case; a support case requires the FortiGate's serial number at the very least.
I would suggest you log into support.fortinet.com and create a new ticket, and in that ticket link the forum thread for further details.
Regarding the accounting:
- FortiGate will only generate accounting if the accounting value it has set and the value received in RADIUS Access-Accept are the same; where does the mismatch of 60 in the Access-Accept and 180 in later Accounting messages come from?
There are at least two RADIUS Accounting issues currently under investigation (though one is restricted to IPSec, so it should not apply to your case); the ID is 0976338; if you open a ticket you can mention that as a possible avenue for investigation.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.