Fortinet black logo

New Features

RADIUS Termination-Action AVP in wired and wireless scenarios

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:588173
Download PDF

RADIUS Termination-Action AVP in wired and wireless scenarios

When authenticating with RADIUS in a wired or wireless scenario, the FortiGate can support proper handling of the Termination-Action AVP.

In a wired scenario, a hardware switch configured with 802.1X security authentication can read the Termination-Action attribute value from the RADIUS Access-Accept response. If the Termination-Action is 1, the FortiGate will initiate re-authentication when the session time has expired. During re-authentication, the port stays authorized. If the Termination-Action is 0, the session will be terminated.

In a wireless scenario, when a virtual AP is configured with WPA2-Enterprise security with RADIUS and has CoA enabled, it processes the RADIUS CoA request immediately upon receiving it and re-authenticates when the Termination-Action is 1.

Wired example

This example has a FortiGate configured with a hardware switch with two ports: port3 and port5. The hardware switch is enabled with 802.1X security and assigned to a RADIUS user group. Upon a successful authentication, the RADIUS server responds with an Access-Accept containing the authentication Session-Timeout and Termination-Action attributes. In this example, the Termination-Action value is 1, which informs the client to re-authenticate when the session time expires. During this time, the FortiGate keeps the client/port authorized while it initiates the re-authentication with the RADIUS server.

The message exchange is as follows:

To configure the RADIUS server and the FortiGate to handle the Termination-Action AVP:
  1. On the RADIUS server, configure the Termination-Action AVP with the value RADIUS-Request (1) to indicate that re-authentication should occur upon expiration of the Session-Time.
  2. On the FortiGate, configure the RADIUS server:
    config user radius
        edit "rad1"
            set server "172.18.60.203"
            set secret ENC **********
            set radius-coa enable
            config accounting-server
                edit 1
                    set status enable
                    set server "172.18.60.203"
                    set secret ENC **********
                next
            end
        next
    end
  3. Configure the RADIUS user group:
    config user group
        edit "group_radius"
            set member "rad1"
        next
    end
  4. Configure the hardware switch with 802.1X enabled.
    1. Configure the virtual switch settings:
      config system virtual-switch
          edit hw2
              set physical-switch "sw0"
              config port
                  edit port3
                  next
                  edit port5
                  next
              end
          next
      end
    2. Configure the interface settings:
      config system interface
          edit hw2
              set vdom vdom1
              set ip 6.6.6.1 255.255.255.0
              set allowaccess ping https ssh
              set stp enable
              set security-mode 802.1X
              set security-groups "group_radius"
          next
      end
      
      WARNING: Changing 802.1X could interrupt network connectivity on affected interfaces.
      Do you want to continue? (y/n)y
  5. On the client device, initiate 802.1X authentication, then verify that the switch port shows as authorized:
    # diagnose sys 802-1x status
    Virtual switch 'hw2' (default mode) 802.1x member status:
      port3: Link up, 802.1X state: unauthorized
      port5: Link up, 802.1X state: authorized
  6. After successful authentication, wait for the session to timeout.
  7. The FortiGate will keep the 802.1X port authenticated, and initiate re-authentication with the same Acct-Session-Id to the RADIUS server. The 802.1X status of the port remains unchanged:
    # diagnose sys 802-1x status
    Virtual switch 'hw2' (default mode) 802.1x member status:
      port3: Link up, 802.1X state: unauthorized
      port5: Link up, 802.1X state: authorized

Wireless example

In this example, a virtual AP is configured with WPA2-Enterprise security with RADIUS and has CoA enabled. After a wireless user authenticates and connects to the wireless SSID, the RADIUS server triggers a CoA event with AVPs Session-timeout and a Termination-Action of 1. This signals the FortiGate to trigger re-authentication of the client, which the client immediately performs to stay connected to the wireless SSID.

The message exchange is as follows:

To configure the FortiGate to handle the Termination-Action AVP:
  1. Configure the RADIUS server:
    config user radius
        edit "peap"
            set server "172.16.200.55"
            set secret **********
            set radius-coa enable
        next
    end
  2. Configure the VAP:
    config wireless-controller vap
        edit "wifi"
            set ssid "FWF-60E-coa"
            set security wpa2-only-enterprise
            set auth radius
            set radius-server "peap"
            set schedule "always"
        next
    end
  3. Verify that the wireless station connects to the SSID:
    # diagnose wireless-controller wlac -d sta online
       vf=0 wtp=1 rId=1 wlan=wifi vlan_id=0 ip=10.10.80.2 ip6=:: mac=**:**:**:**:**:** vci= host=wifi-qa-01 user=test1 group=group1 signal=-28 noise=-95 idle=1 bw=0 use=6 chan=149 radio_type=11AC security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2
  4. From the RADIUS server, manually trigger a RADIUS CoA event.
    1. RADIUS CoA sent to the FortiGate:
      Sent CoA-Request Id 7 from 0.0.0.0:54158 to 172.16.200.201:3799 length 39
          User-Name = "test1"
          Session-Timeout = 120
          Termination-Action = RADIUS-Request
    2. RADIUS CoA-ACK received from the FortiGate:
      Received CoA-ACK Id 7 from 172.16.200.201:3799 to 0.0.0.0:0 length 44
          Event-Timestamp = "Jan  5 2022 14:43:12 PST"
          Message-Authenticator = 0x3311ba3b763d68da653ab34351b0308
  5. On the wireless station console, verify that the re-authentication happens immediately:
    root@wifi-qa-01:/home/wpa-test# wlan1: CTRL-EVENT-EAP-STARTED EAP authentication started
    wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
    wlan1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
    EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
    wlan1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
    wlan1: PMKSA-CACHE-REMOVED **:**:**:**:**:** 0
    wlan1: PMKSA-CACHE-ADDED **:**:**:**:**:** 0
    wlan1: WPA: Key negotiation completed with **:**:**:**:**:** [PTK=CCMP GTK=CCMP]

RADIUS Termination-Action AVP in wired and wireless scenarios

When authenticating with RADIUS in a wired or wireless scenario, the FortiGate can support proper handling of the Termination-Action AVP.

In a wired scenario, a hardware switch configured with 802.1X security authentication can read the Termination-Action attribute value from the RADIUS Access-Accept response. If the Termination-Action is 1, the FortiGate will initiate re-authentication when the session time has expired. During re-authentication, the port stays authorized. If the Termination-Action is 0, the session will be terminated.

In a wireless scenario, when a virtual AP is configured with WPA2-Enterprise security with RADIUS and has CoA enabled, it processes the RADIUS CoA request immediately upon receiving it and re-authenticates when the Termination-Action is 1.

Wired example

This example has a FortiGate configured with a hardware switch with two ports: port3 and port5. The hardware switch is enabled with 802.1X security and assigned to a RADIUS user group. Upon a successful authentication, the RADIUS server responds with an Access-Accept containing the authentication Session-Timeout and Termination-Action attributes. In this example, the Termination-Action value is 1, which informs the client to re-authenticate when the session time expires. During this time, the FortiGate keeps the client/port authorized while it initiates the re-authentication with the RADIUS server.

The message exchange is as follows:

To configure the RADIUS server and the FortiGate to handle the Termination-Action AVP:
  1. On the RADIUS server, configure the Termination-Action AVP with the value RADIUS-Request (1) to indicate that re-authentication should occur upon expiration of the Session-Time.
  2. On the FortiGate, configure the RADIUS server:
    config user radius
        edit "rad1"
            set server "172.18.60.203"
            set secret ENC **********
            set radius-coa enable
            config accounting-server
                edit 1
                    set status enable
                    set server "172.18.60.203"
                    set secret ENC **********
                next
            end
        next
    end
  3. Configure the RADIUS user group:
    config user group
        edit "group_radius"
            set member "rad1"
        next
    end
  4. Configure the hardware switch with 802.1X enabled.
    1. Configure the virtual switch settings:
      config system virtual-switch
          edit hw2
              set physical-switch "sw0"
              config port
                  edit port3
                  next
                  edit port5
                  next
              end
          next
      end
    2. Configure the interface settings:
      config system interface
          edit hw2
              set vdom vdom1
              set ip 6.6.6.1 255.255.255.0
              set allowaccess ping https ssh
              set stp enable
              set security-mode 802.1X
              set security-groups "group_radius"
          next
      end
      
      WARNING: Changing 802.1X could interrupt network connectivity on affected interfaces.
      Do you want to continue? (y/n)y
  5. On the client device, initiate 802.1X authentication, then verify that the switch port shows as authorized:
    # diagnose sys 802-1x status
    Virtual switch 'hw2' (default mode) 802.1x member status:
      port3: Link up, 802.1X state: unauthorized
      port5: Link up, 802.1X state: authorized
  6. After successful authentication, wait for the session to timeout.
  7. The FortiGate will keep the 802.1X port authenticated, and initiate re-authentication with the same Acct-Session-Id to the RADIUS server. The 802.1X status of the port remains unchanged:
    # diagnose sys 802-1x status
    Virtual switch 'hw2' (default mode) 802.1x member status:
      port3: Link up, 802.1X state: unauthorized
      port5: Link up, 802.1X state: authorized

Wireless example

In this example, a virtual AP is configured with WPA2-Enterprise security with RADIUS and has CoA enabled. After a wireless user authenticates and connects to the wireless SSID, the RADIUS server triggers a CoA event with AVPs Session-timeout and a Termination-Action of 1. This signals the FortiGate to trigger re-authentication of the client, which the client immediately performs to stay connected to the wireless SSID.

The message exchange is as follows:

To configure the FortiGate to handle the Termination-Action AVP:
  1. Configure the RADIUS server:
    config user radius
        edit "peap"
            set server "172.16.200.55"
            set secret **********
            set radius-coa enable
        next
    end
  2. Configure the VAP:
    config wireless-controller vap
        edit "wifi"
            set ssid "FWF-60E-coa"
            set security wpa2-only-enterprise
            set auth radius
            set radius-server "peap"
            set schedule "always"
        next
    end
  3. Verify that the wireless station connects to the SSID:
    # diagnose wireless-controller wlac -d sta online
       vf=0 wtp=1 rId=1 wlan=wifi vlan_id=0 ip=10.10.80.2 ip6=:: mac=**:**:**:**:**:** vci= host=wifi-qa-01 user=test1 group=group1 signal=-28 noise=-95 idle=1 bw=0 use=6 chan=149 radio_type=11AC security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2
  4. From the RADIUS server, manually trigger a RADIUS CoA event.
    1. RADIUS CoA sent to the FortiGate:
      Sent CoA-Request Id 7 from 0.0.0.0:54158 to 172.16.200.201:3799 length 39
          User-Name = "test1"
          Session-Timeout = 120
          Termination-Action = RADIUS-Request
    2. RADIUS CoA-ACK received from the FortiGate:
      Received CoA-ACK Id 7 from 172.16.200.201:3799 to 0.0.0.0:0 length 44
          Event-Timestamp = "Jan  5 2022 14:43:12 PST"
          Message-Authenticator = 0x3311ba3b763d68da653ab34351b0308
  5. On the wireless station console, verify that the re-authentication happens immediately:
    root@wifi-qa-01:/home/wpa-test# wlan1: CTRL-EVENT-EAP-STARTED EAP authentication started
    wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
    wlan1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
    EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
    wlan1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
    wlan1: PMKSA-CACHE-REMOVED **:**:**:**:**:** 0
    wlan1: PMKSA-CACHE-ADDED **:**:**:**:**:** 0
    wlan1: WPA: Key negotiation completed with **:**:**:**:**:** [PTK=CCMP GTK=CCMP]