Goal: Disconnect/Not to allow user network access after certain usage.
STEP 1:
Configure your Fortigate/NAS to send User Accounting information to Forti-Authenticator after successful user authentication. In this case Forti-Authenticator is used as Authentication server as well.
#Sample Radius configuration on Fortigate :
config user radius
edit “10.47.1.148”
set server “10.47.1.148”
set secret ENC zMbdF/mNYBr5a4Cc3cP
set nas-ip 192.168.242.80
set acct-interim-interval 600
set radius-coa enable
config accounting-server
edit 1
set status enable
set server “10.47.1.148”
set secret ENC nGw/l5GCxHSymW3SnXGJKgmk
set port 1646
next
Note: Port 1646 is used for Accounting traffic on Fortigate and Forti-Authenticator.
Interim Acct and COA is enabled.
STEP 2:
Make sure to enable Accounting monitor on the FAC interface that will be talking to NAS/Fortigate.
STEP 3:
Enable to “Accept Accounting” on the radius client profile and support COA.
STEP 4 :
Usage profile for time or data is configured.
STEP 5 :
Usage profile can be applied to user/ user group /Device.
Remember to add the Radius Attribute interim update set to 600 sec once.
STEP 6:
After successful authentication and Receiving Radius Accounting information you get to see the sample like below.
Navigation: Monitor->Radius Accounting
STEP 7:
If FAC(Forti Authenticator) find the user crossed time/usage(data) limit , then it sends out a COA message to Fortigate and also disables the user at FAC.
STEP 8:
User session state at Fortigate
==> User Session before Disconnect/bounce from network
Alza-kvm21 # diagnose firewall auth list | grep -A5 “test1”
10.120.0.125, test1, captive FAC user
src_mac: 00:0c:29:xx:xx:xx
type: fw, id: 0, duration: 547, idled: 64
expire: 236, allow-idle: 300
flag(30): radius idle
server: 10.47.8.250
==> User session after Disconnect/bounced from network.
Alza-kvm21 # diagnose firewall auth list | grep -A5 “test1”
Alza-kvm21 #