Disconnect User Network Access through Forti-Authenticator Usage profile

 

Goal:  Disconnect/Not to allow user network access after certain usage.

 

STEP 1:

Configure your Fortigate/NAS to send User Accounting information to Forti-Authenticator after successful user authentication. In this case Forti-Authenticator is  used as Authentication server as well.

#Sample Radius configuration on Fortigate :

config user radius

edit “10.47.1.148”

set server “10.47.1.148”

set secret ENC     zMbdF/mNYBr5a4Cc3cP

set nas-ip 192.168.242.80

set acct-interim-interval 600

set radius-coa enable

config accounting-server

edit 1

set status enable

set server “10.47.1.148”

set secret ENC   nGw/l5GCxHSymW3SnXGJKgmk

set port 1646

next

 

Note: Port 1646 is used for Accounting traffic on Fortigate and Forti-Authenticator.

Interim Acct and COA is enabled.

 

acct port

 

STEP 2:

Make sure to enable Accounting monitor on the FAC interface that will be talking to NAS/Fortigate.

2

 

STEP 3:

Enable to “Accept Accounting” on the radius client profile and support COA.

3.png

 

STEP 4 :

Usage profile for time or data is configured.

4

 

STEP 5 :

Usage profile can be applied to user/ user group /Device.

5

Remember to add the Radius Attribute  interim update set to 600 sec once.

 

STEP 6:

After successful authentication and Receiving Radius Accounting information you get to see the sample like below.

Navigation:  Monitor->Radius Accounting

accounting

STEP 7:

If FAC(Forti Authenticator) find the user crossed time/usage(data) limit , then it sends out a COA message to Fortigate and also disables the user at FAC.

10

 

STEP 8:

User session state at Fortigate 

==> User Session before Disconnect/bounce from network

Alza-kvm21 # diagnose firewall auth list | grep -A5 “test1”
10.120.0.125, test1, captive FAC user
src_mac: 00:0c:29:xx:xx:xx
type: fw, id: 0, duration: 547, idled: 64
expire: 236, allow-idle: 300
flag(30): radius idle
server: 10.47.8.250

 

==> User session after Disconnect/bounced from network.

Alza-kvm21 # diagnose firewall auth list | grep -A5 “test1”

Alza-kvm21 #