Fortinet white logo
Fortinet white logo

Administration Guide

Traffic shaping based on dynamic RADIUS VSAs

Traffic shaping based on dynamic RADIUS VSAs

A FortiGate can use the WISPr-Bandwidth-Max-Down and WISPr-Bandwidth-Max-Up dynamic RADIUS VSAs (vendor-specific attributes) to control the traffic rates permitted for a certain device. The FortiGate can apply different traffic shaping to different users who authenticate with RADIUS based on the returned RADIUS VSA values. When the same user logs in from an additional device, the RADIUS server will send a CoA (change of authorization) message to update the bandwidth values to 1/N of the total values, where N is the number of logged in devices from the same user.

Note

This feature is not supported on NP hardware. NP offloading is automatically disabled on the policy if this feature is enabled.

When a user logs in to two devices through RADIUS authentication. The authentication and authorization flow is as follows:

  1. The user logs in to a device and the authentication is sent to the FortiGate.
  2. The FortiGate sends the Access-Request message to the RADIUS server.
  3. The RADIUS server sends the Access-Accept message to the FortiGate. The server also returns the WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down VSAs.
  4. Based on the VSA values, the FortiGate applies traffic shaping for the upload and download speeds based on its IP.
  5. The user logs in to a second device and the authentication is sent to the FortiGate.
  6. The FortiGate sends the Access-Request message to the RADIUS server.
  7. The RADIUS server sends the Access-Accept message to the FortiGate. The server also returns the WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down VSAs at half the value from the first device.
  8. Based on the VSA values, the FortiGate applies traffic shaping for the upload and download speeds on the second device based on its IP.
  9. The RADIUS server sends a CoA message and returns WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down VSAs for the first device at half the value.
  10. Based on the VSA values, the FortiGate updates traffic shaping for the upload and download speeds on the first device based on its IP.

Example

In this example, the FortiGate is configured to dynamically shape user traffic based on the WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down VSAs returned by the RADIUS server when the user logs in through firewall authentication.

To configure traffic shaping based on dynamic RADIUS VSAs:
  1. Configure the RADIUS server users file to identify WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down:
    Note

    The WISPr-Bandwidth is measured in bps, and the FortiOS dynamic shaper is measured in Bps.

    WISPr-Bandwidth-Max-Up = 1004857,
    WISPr-Bandwidth-Max-Down = 504857,
  2. In FortiOS, configure the RADIUS server:
    config user radius
        edit "rad1"
            set server "172.16.200.44"
            set secret ************
            set radius-coa enable
            set acct-all-servers enable
            config accounting-server
                edit 1
                    set status enable
                    set server "172.16.200.44"
                    set secret ************
                next
            end
        next
    end
  3. Configure the RADIUS user group:
    config user group
        edit "group_radius"
            set member "rad1"
        next
    end
  4. Configure the firewall policy with dynamic shaping and the RADIUS group:
    config firewall policy
        edit 2
            set srcintf "port2"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all6"
            set dstaddr6 "all6"
            set action accept
            set schedule "always"
            set service "ALL"
            set dynamic-shaping enable
            set groups "group_radius"
            set nat enable
        next
    end

Verification

After a client PC is authenticated by the RADIUS server, dynamic shaping is applied to the client based on the IP address.

Use the following commands to monitor the dynamic shaper:

# diagnose firewall shaper dynamic-shaper stats
# diagnose firewall shaper dynamic-shaper list {ip | ipv6 | user} <address or username>

Use case 1

User1 is paying for rate plan A that limits their maximum bandwidth to 10 Mbps download and 5 Mbps upload. User2 is paying for rate plan B that limits their maximum bandwidth to 5 Mbps download and 5 Mbps upload. The speeds in both plans are provided by best effort, so there is no guaranteed minimum bandwidth.

User1 logs in to pc1 with RADIUS authentication and IP-based dynamic shaping is applied. User2 logs in to pc2 with RADIUS authentication and IP-based dynamic shaping is applied.

To verify the dynamic shaping:
  1. On pc1, verify the bandwidth and transfer speed:
    root@pc1:~# iperf -c 172.16.200.44 -u -t 25 -b 20M
    ------------------------------------------------------------
    Client connecting to 172.16.200.44, UDP port 5001
    Sending 1470 byte datagrams
    UDP buffer size:  208 KByte (default)
    ------------------------------------------------------------
    [  3] local 10.1.100.11 port 50510 connected with 172.16.200.44 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-25.0 sec  59.6 MBytes  20.0 Mbits/sec
    [  3] Sent 42518 datagrams
    [  3] Server Report:
    [  3]  0.0-25.3 sec  30.1 MBytes  9.99 Mbits/sec  15.651 ms 21058/42518 (50%)
  2. On pc2, verify the bandwidth and transfer speed:
    root@pc2:~# iperf -c 172.16.200.44 -u -t 25 -b 20M
    ------------------------------------------------------------
    Client connecting to 172.16.200.44, UDP port 5001
    Sending 1470 byte datagrams
    UDP buffer size:  208 KByte (default)
    ------------------------------------------------------------
    [  3] local 10.1.100.22 port 52814 connected with 172.16.200.44 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-25.0 sec  59.6 MBytes  20.0 Mbits/sec
    [  3] Sent 42518 datagrams
    [  3] Server Report:
    [  3]  0.0-25.3 sec  15.1 MBytes  5.03 Mbits/sec  15.652 ms 31710/42514 (75%)
  3. In FortiOS, check the authentication list:
    # diagnose firewall auth  list                
    10.1.100.11, test-shaper1
            src_mac: **:**:**:**:**:**
            type: fw, id: 0, duration: 38, idled: 16
            expire: 562
            flag(814): hard radius no_idle
            server: rad1
            packets: in 8207 out 3999, bytes: in 12306164 out 226963
            group_id: 3
            group_name: group_radius
    10.1.100.22, test-shaper2
            src_mac: **:**:**:**:**:**
            type: fw, id: 0, duration: 24, idled: 24
            expire: 156, max-life: 35976
            flag(814): hard radius no_idle
            server: rad1
            packets: in 0 out 5, bytes: in 0 out 300
            group_id: 3
            group_name: group_radius
    ----- 2 listed, 0 filtered ------
  4. Check the dynamic shaper list:
    # diagnose firewall shaper dynamic-shaper list
    addr: 10.1.100.11
    bandwidth(original/reply): 1250000 Bps/625000 Bps
    current bandwidth(original/reply): 1237072 Bps/0 Bps
    allow packets(original/reply): 38524/14
    allow bytes(original/reply): 55270378/11285
    drop packets(original/reply): 10136/0
    drop bytes(original/reply): 13516198/0
    life: 441
    idle: 0/40
    idle time limit: 600 s
    
    addr: 10.1.100.22
    bandwidth(original/reply): 625000 Bps/625000 Bps
    current bandwidth(original/reply): 622909 Bps/0 Bps
    allow packets(original/reply): 3232/3
    allow bytes(original/reply): 4841536/243
    drop packets(original/reply): 2753/0
    drop bytes(original/reply): 4123994/0
    life: 10
    idle: 0/10
    idle time limit: 36000 s
  5. Check the session list:
    # diagnose sys session list
    session info: proto=6 proto_state=05 duration=3 expire=116 timeout=3600 flags=00000004 socktype=4 sockport=10001 av_idx=0 use=4
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
    state=redir log local may_dirty auth dst-vis f00 dynamic_shaping
    statistic(bytes/packets/allow_err): org=0/0/0 reply=638/4/1 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 185/1
    orgin->sink: org pre->post, reply pre->post dev=20->17/17->20 gwy=172.16.200.44/0.0.0.0
    hook=pre dir=org act=noop 10.1.100.22:35561->172.16.200.44:80(0.0.0.0:0)
    hook=post dir=reply act=noop 172.16.200.44:80->10.1.100.22:35561(0.0.0.0:0)
    pos/(before,after) 0/(0,0), 0/(0,0)
    src_mac=**:**:**:**:**:**  dst_mac=**:**:**:**:**:**
    misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=1
    serial=0005994d tos=ff/ff app_list=0 app=0 url_cat=0
    sdwan_mbr_seq=0 sdwan_service_id=0
    rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
    npu_state=0x000001 no_offload
    no_ofld_reason:  redir-to-av auth disabled-by-policy
    
    session info: proto=6 proto_state=05 duration=122 expire=38 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
    user=test-shaper1 auth_server=rad1 state=log may_dirty authed f00 dynamic_shaping acct-ext
    statistic(bytes/packets/allow_err): org=383611/6604/1 reply=26382470/17592/1 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
    orgin->sink: org pre->post, reply pre->post dev=20->17/17->20 gwy=172.16.200.44/10.2.2.1
    hook=post dir=org act=snat 10.1.100.11:54140->172.16.200.44:80(172.16.200.2:54140)
    hook=pre dir=reply act=dnat 172.16.200.44:80->172.16.200.2:54140(10.1.100.11:54140)
    pos/(before,after) 0/(0,0), 0/(0,0)
    src_mac=**:**:**:**:**:**  dst_mac=**:**:**:**:**:**
    misc=0 policy_id=2 auth_info=3 chk_client_info=0 vd=1
    serial=000598c5 tos=ff/ff app_list=0 app=0 url_cat=0
    sdwan_mbr_seq=0 sdwan_service_id=0
    rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
    npu_state=0x000001 no_offload
    no_ofld_reason:  disabled-by-policy
    total session 2
  6. Check the policy traffic:
    # diagnose firewall iprope list 100004
    policy index=2 uuid_idx=60 action=accept
    flag (8052128): redir auth nat nids_raw master use_src pol_stats
    flag2 (4030): fw wsso resolve_sso
    flag3 (200000b0): !sp link-local best-route dynamic-shaping
    schedule(always)
    cos_fwd=255  cos_rev=255
    group=00100004 av=00004e20 au=00000003 split=00000000
    host=1 chk_client_info=0x1 app_list=0 ips_view=0
    misc=0
    zone(1): 20 -> zone(1): 17
    source(1): 0.0.0.0-255.255.255.255, uuid_idx=32,
    dest(1): 0.0.0.0-255.255.255.255, uuid_idx=32,
    user group(1): 3
    service(1):
            [0:0x0:0/(0,65535)->(0,65535)] helper:auto

Use case 2

A user logs in to a device (pc1, 10.1.100.11 ) and has a maximum bandwidth of 10 Mbps download and 5 Mbps upload. The same user logs in to a second device (pc2, 10.1.100.22) and the RADIUS server sends a CoA request with the WISPr-Bandwidth-Max to pc1. The maximum bandwidth on pc1 changes to 5 Mbps download and 2.5Mbps upload. On pc2, the maximum bandwidth is also 5 Mbps download and 2.5Mbps upload.

When the user logs out from pc1, the RADIUS server sends CoA request with the new WISPr-Bandwidth-Max for pc2. The FortiGate updates the authentication user list and dynamic shaper for pc2. The maximum bandwidth on pc2 changes to 10 Mbps download and 5 Mbps upload.

To verify the dynamic shaping:
  1. Check the dynamic shaper list after the user logs in to pc1:
    # diagnose firewall shaper dynamic-shaper list
    addr: 10.1.100.11
    bandwidth(original/reply): 1250000 Bps/625000 Bps
    current bandwidth(original/reply): 0 Bps/0 Bps
    allow packets(original/reply): 0/3
    allow bytes(original/reply): 0/243
    drop packets(original/reply): 0/0
    drop bytes(original/reply): 0/0
    life: 491
    idle: 4/4
    idle time limit: 86400 s
  2. Check the dynamic shaper list after the user logs in to pc2:
    # diagnose firewall shaper dynamic-shaper list
    addr: 10.1.100.11
    bandwidth(original/reply): 625000 Bps/312500 Bps
    current bandwidth(original/reply): 0 Bps/0 Bps
    allow packets(original/reply): 0/0
    allow bytes(original/reply): 0/0
    drop packets(original/reply): 0/0
    drop bytes(original/reply): 0/0
    life: 652
    idle: 5/5
    idle time limit: 600 s
    
    addr: 10.1.100.22
    bandwidth(original/reply): 625000 Bps/312500 Bps
    current bandwidth(original/reply): 0 Bps/0 Bps
    allow packets(original/reply): 0/3
    allow bytes(original/reply): 0/243
    drop packets(original/reply): 0/0
    drop bytes(original/reply): 0/0
    life: 3
    idle: 3/3
    idle time limit: 86400 s
  3. Check the authentication list:
    # diagnose firewall auth list
    10.1.100.11, test
            src_mac: **:**:**:**:**:**
            type: fw, id: 0, duration: 171, idled: 11
            expire: 589, max-life: 589
            flag(814): hard radius no_idle
            server: rad1
            packets: in 0 out 0, bytes: in 0 out 0
            group_id: 15
            group_name: group_radius
    10.1.100.22, test
            src_mac: **:**:**:**:**:**
            type: fw, id: 0, duration: 9, idled: 9
            expire: 86391
            flag(814): hard radius no_idle
            server: rad1
            packets: in 0 out 0, bytes: in 0 out 0
            group_id: 15
            group_name: group_radius
    ----- 2 listed, 0 filtered ------
  4. Check the dynamic shaper list after the user logs out from pc1:
    # diagnose firewall shaper dynamic-shaper list
    addr: 10.1.100.22
    bandwidth(original/reply): 1250000 Bps/625000 Bps
    current bandwidth(original/reply): 0 Bps/0 Bps
    allow packets(original/reply): 0/0
    allow bytes(original/reply): 0/0
    drop packets(original/reply): 0/0
    drop bytes(original/reply): 0/0
    life: 414
    idle: 9/9
    idle time limit: 600 s
  5. Check the authentication list again:
    # diagnose firewall auth  list
    10.1.100.22, test
            src_mac: **:**:**:**:**:**
            type: fw, id: 0, duration: 453, idled: 49
            expire: 551, max-life: 551
            flag(814): hard radius no_idle
            server: rad1
            packets: in 0 out 0, bytes: in 0 out 0
            group_id: 15
            group_name: group_radius
    ----- 1 listed, 0 filtered ------

Traffic shaping based on dynamic RADIUS VSAs

Traffic shaping based on dynamic RADIUS VSAs

A FortiGate can use the WISPr-Bandwidth-Max-Down and WISPr-Bandwidth-Max-Up dynamic RADIUS VSAs (vendor-specific attributes) to control the traffic rates permitted for a certain device. The FortiGate can apply different traffic shaping to different users who authenticate with RADIUS based on the returned RADIUS VSA values. When the same user logs in from an additional device, the RADIUS server will send a CoA (change of authorization) message to update the bandwidth values to 1/N of the total values, where N is the number of logged in devices from the same user.

Note

This feature is not supported on NP hardware. NP offloading is automatically disabled on the policy if this feature is enabled.

When a user logs in to two devices through RADIUS authentication. The authentication and authorization flow is as follows:

  1. The user logs in to a device and the authentication is sent to the FortiGate.
  2. The FortiGate sends the Access-Request message to the RADIUS server.
  3. The RADIUS server sends the Access-Accept message to the FortiGate. The server also returns the WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down VSAs.
  4. Based on the VSA values, the FortiGate applies traffic shaping for the upload and download speeds based on its IP.
  5. The user logs in to a second device and the authentication is sent to the FortiGate.
  6. The FortiGate sends the Access-Request message to the RADIUS server.
  7. The RADIUS server sends the Access-Accept message to the FortiGate. The server also returns the WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down VSAs at half the value from the first device.
  8. Based on the VSA values, the FortiGate applies traffic shaping for the upload and download speeds on the second device based on its IP.
  9. The RADIUS server sends a CoA message and returns WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down VSAs for the first device at half the value.
  10. Based on the VSA values, the FortiGate updates traffic shaping for the upload and download speeds on the first device based on its IP.

Example

In this example, the FortiGate is configured to dynamically shape user traffic based on the WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down VSAs returned by the RADIUS server when the user logs in through firewall authentication.

To configure traffic shaping based on dynamic RADIUS VSAs:
  1. Configure the RADIUS server users file to identify WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down:
    Note

    The WISPr-Bandwidth is measured in bps, and the FortiOS dynamic shaper is measured in Bps.

    WISPr-Bandwidth-Max-Up = 1004857,
    WISPr-Bandwidth-Max-Down = 504857,
  2. In FortiOS, configure the RADIUS server:
    config user radius
        edit "rad1"
            set server "172.16.200.44"
            set secret ************
            set radius-coa enable
            set acct-all-servers enable
            config accounting-server
                edit 1
                    set status enable
                    set server "172.16.200.44"
                    set secret ************
                next
            end
        next
    end
  3. Configure the RADIUS user group:
    config user group
        edit "group_radius"
            set member "rad1"
        next
    end
  4. Configure the firewall policy with dynamic shaping and the RADIUS group:
    config firewall policy
        edit 2
            set srcintf "port2"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all6"
            set dstaddr6 "all6"
            set action accept
            set schedule "always"
            set service "ALL"
            set dynamic-shaping enable
            set groups "group_radius"
            set nat enable
        next
    end

Verification

After a client PC is authenticated by the RADIUS server, dynamic shaping is applied to the client based on the IP address.

Use the following commands to monitor the dynamic shaper:

# diagnose firewall shaper dynamic-shaper stats
# diagnose firewall shaper dynamic-shaper list {ip | ipv6 | user} <address or username>

Use case 1

User1 is paying for rate plan A that limits their maximum bandwidth to 10 Mbps download and 5 Mbps upload. User2 is paying for rate plan B that limits their maximum bandwidth to 5 Mbps download and 5 Mbps upload. The speeds in both plans are provided by best effort, so there is no guaranteed minimum bandwidth.

User1 logs in to pc1 with RADIUS authentication and IP-based dynamic shaping is applied. User2 logs in to pc2 with RADIUS authentication and IP-based dynamic shaping is applied.

To verify the dynamic shaping:
  1. On pc1, verify the bandwidth and transfer speed:
    root@pc1:~# iperf -c 172.16.200.44 -u -t 25 -b 20M
    ------------------------------------------------------------
    Client connecting to 172.16.200.44, UDP port 5001
    Sending 1470 byte datagrams
    UDP buffer size:  208 KByte (default)
    ------------------------------------------------------------
    [  3] local 10.1.100.11 port 50510 connected with 172.16.200.44 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-25.0 sec  59.6 MBytes  20.0 Mbits/sec
    [  3] Sent 42518 datagrams
    [  3] Server Report:
    [  3]  0.0-25.3 sec  30.1 MBytes  9.99 Mbits/sec  15.651 ms 21058/42518 (50%)
  2. On pc2, verify the bandwidth and transfer speed:
    root@pc2:~# iperf -c 172.16.200.44 -u -t 25 -b 20M
    ------------------------------------------------------------
    Client connecting to 172.16.200.44, UDP port 5001
    Sending 1470 byte datagrams
    UDP buffer size:  208 KByte (default)
    ------------------------------------------------------------
    [  3] local 10.1.100.22 port 52814 connected with 172.16.200.44 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-25.0 sec  59.6 MBytes  20.0 Mbits/sec
    [  3] Sent 42518 datagrams
    [  3] Server Report:
    [  3]  0.0-25.3 sec  15.1 MBytes  5.03 Mbits/sec  15.652 ms 31710/42514 (75%)
  3. In FortiOS, check the authentication list:
    # diagnose firewall auth  list                
    10.1.100.11, test-shaper1
            src_mac: **:**:**:**:**:**
            type: fw, id: 0, duration: 38, idled: 16
            expire: 562
            flag(814): hard radius no_idle
            server: rad1
            packets: in 8207 out 3999, bytes: in 12306164 out 226963
            group_id: 3
            group_name: group_radius
    10.1.100.22, test-shaper2
            src_mac: **:**:**:**:**:**
            type: fw, id: 0, duration: 24, idled: 24
            expire: 156, max-life: 35976
            flag(814): hard radius no_idle
            server: rad1
            packets: in 0 out 5, bytes: in 0 out 300
            group_id: 3
            group_name: group_radius
    ----- 2 listed, 0 filtered ------
  4. Check the dynamic shaper list:
    # diagnose firewall shaper dynamic-shaper list
    addr: 10.1.100.11
    bandwidth(original/reply): 1250000 Bps/625000 Bps
    current bandwidth(original/reply): 1237072 Bps/0 Bps
    allow packets(original/reply): 38524/14
    allow bytes(original/reply): 55270378/11285
    drop packets(original/reply): 10136/0
    drop bytes(original/reply): 13516198/0
    life: 441
    idle: 0/40
    idle time limit: 600 s
    
    addr: 10.1.100.22
    bandwidth(original/reply): 625000 Bps/625000 Bps
    current bandwidth(original/reply): 622909 Bps/0 Bps
    allow packets(original/reply): 3232/3
    allow bytes(original/reply): 4841536/243
    drop packets(original/reply): 2753/0
    drop bytes(original/reply): 4123994/0
    life: 10
    idle: 0/10
    idle time limit: 36000 s
  5. Check the session list:
    # diagnose sys session list
    session info: proto=6 proto_state=05 duration=3 expire=116 timeout=3600 flags=00000004 socktype=4 sockport=10001 av_idx=0 use=4
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
    state=redir log local may_dirty auth dst-vis f00 dynamic_shaping
    statistic(bytes/packets/allow_err): org=0/0/0 reply=638/4/1 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 185/1
    orgin->sink: org pre->post, reply pre->post dev=20->17/17->20 gwy=172.16.200.44/0.0.0.0
    hook=pre dir=org act=noop 10.1.100.22:35561->172.16.200.44:80(0.0.0.0:0)
    hook=post dir=reply act=noop 172.16.200.44:80->10.1.100.22:35561(0.0.0.0:0)
    pos/(before,after) 0/(0,0), 0/(0,0)
    src_mac=**:**:**:**:**:**  dst_mac=**:**:**:**:**:**
    misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=1
    serial=0005994d tos=ff/ff app_list=0 app=0 url_cat=0
    sdwan_mbr_seq=0 sdwan_service_id=0
    rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
    npu_state=0x000001 no_offload
    no_ofld_reason:  redir-to-av auth disabled-by-policy
    
    session info: proto=6 proto_state=05 duration=122 expire=38 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
    user=test-shaper1 auth_server=rad1 state=log may_dirty authed f00 dynamic_shaping acct-ext
    statistic(bytes/packets/allow_err): org=383611/6604/1 reply=26382470/17592/1 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
    orgin->sink: org pre->post, reply pre->post dev=20->17/17->20 gwy=172.16.200.44/10.2.2.1
    hook=post dir=org act=snat 10.1.100.11:54140->172.16.200.44:80(172.16.200.2:54140)
    hook=pre dir=reply act=dnat 172.16.200.44:80->172.16.200.2:54140(10.1.100.11:54140)
    pos/(before,after) 0/(0,0), 0/(0,0)
    src_mac=**:**:**:**:**:**  dst_mac=**:**:**:**:**:**
    misc=0 policy_id=2 auth_info=3 chk_client_info=0 vd=1
    serial=000598c5 tos=ff/ff app_list=0 app=0 url_cat=0
    sdwan_mbr_seq=0 sdwan_service_id=0
    rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
    npu_state=0x000001 no_offload
    no_ofld_reason:  disabled-by-policy
    total session 2
  6. Check the policy traffic:
    # diagnose firewall iprope list 100004
    policy index=2 uuid_idx=60 action=accept
    flag (8052128): redir auth nat nids_raw master use_src pol_stats
    flag2 (4030): fw wsso resolve_sso
    flag3 (200000b0): !sp link-local best-route dynamic-shaping
    schedule(always)
    cos_fwd=255  cos_rev=255
    group=00100004 av=00004e20 au=00000003 split=00000000
    host=1 chk_client_info=0x1 app_list=0 ips_view=0
    misc=0
    zone(1): 20 -> zone(1): 17
    source(1): 0.0.0.0-255.255.255.255, uuid_idx=32,
    dest(1): 0.0.0.0-255.255.255.255, uuid_idx=32,
    user group(1): 3
    service(1):
            [0:0x0:0/(0,65535)->(0,65535)] helper:auto

Use case 2

A user logs in to a device (pc1, 10.1.100.11 ) and has a maximum bandwidth of 10 Mbps download and 5 Mbps upload. The same user logs in to a second device (pc2, 10.1.100.22) and the RADIUS server sends a CoA request with the WISPr-Bandwidth-Max to pc1. The maximum bandwidth on pc1 changes to 5 Mbps download and 2.5Mbps upload. On pc2, the maximum bandwidth is also 5 Mbps download and 2.5Mbps upload.

When the user logs out from pc1, the RADIUS server sends CoA request with the new WISPr-Bandwidth-Max for pc2. The FortiGate updates the authentication user list and dynamic shaper for pc2. The maximum bandwidth on pc2 changes to 10 Mbps download and 5 Mbps upload.

To verify the dynamic shaping:
  1. Check the dynamic shaper list after the user logs in to pc1:
    # diagnose firewall shaper dynamic-shaper list
    addr: 10.1.100.11
    bandwidth(original/reply): 1250000 Bps/625000 Bps
    current bandwidth(original/reply): 0 Bps/0 Bps
    allow packets(original/reply): 0/3
    allow bytes(original/reply): 0/243
    drop packets(original/reply): 0/0
    drop bytes(original/reply): 0/0
    life: 491
    idle: 4/4
    idle time limit: 86400 s
  2. Check the dynamic shaper list after the user logs in to pc2:
    # diagnose firewall shaper dynamic-shaper list
    addr: 10.1.100.11
    bandwidth(original/reply): 625000 Bps/312500 Bps
    current bandwidth(original/reply): 0 Bps/0 Bps
    allow packets(original/reply): 0/0
    allow bytes(original/reply): 0/0
    drop packets(original/reply): 0/0
    drop bytes(original/reply): 0/0
    life: 652
    idle: 5/5
    idle time limit: 600 s
    
    addr: 10.1.100.22
    bandwidth(original/reply): 625000 Bps/312500 Bps
    current bandwidth(original/reply): 0 Bps/0 Bps
    allow packets(original/reply): 0/3
    allow bytes(original/reply): 0/243
    drop packets(original/reply): 0/0
    drop bytes(original/reply): 0/0
    life: 3
    idle: 3/3
    idle time limit: 86400 s
  3. Check the authentication list:
    # diagnose firewall auth list
    10.1.100.11, test
            src_mac: **:**:**:**:**:**
            type: fw, id: 0, duration: 171, idled: 11
            expire: 589, max-life: 589
            flag(814): hard radius no_idle
            server: rad1
            packets: in 0 out 0, bytes: in 0 out 0
            group_id: 15
            group_name: group_radius
    10.1.100.22, test
            src_mac: **:**:**:**:**:**
            type: fw, id: 0, duration: 9, idled: 9
            expire: 86391
            flag(814): hard radius no_idle
            server: rad1
            packets: in 0 out 0, bytes: in 0 out 0
            group_id: 15
            group_name: group_radius
    ----- 2 listed, 0 filtered ------
  4. Check the dynamic shaper list after the user logs out from pc1:
    # diagnose firewall shaper dynamic-shaper list
    addr: 10.1.100.22
    bandwidth(original/reply): 1250000 Bps/625000 Bps
    current bandwidth(original/reply): 0 Bps/0 Bps
    allow packets(original/reply): 0/0
    allow bytes(original/reply): 0/0
    drop packets(original/reply): 0/0
    drop bytes(original/reply): 0/0
    life: 414
    idle: 9/9
    idle time limit: 600 s
  5. Check the authentication list again:
    # diagnose firewall auth  list
    10.1.100.22, test
            src_mac: **:**:**:**:**:**
            type: fw, id: 0, duration: 453, idled: 49
            expire: 551, max-life: 551
            flag(814): hard radius no_idle
            server: rad1
            packets: in 0 out 0, bytes: in 0 out 0
            group_id: 15
            group_name: group_radius
    ----- 1 listed, 0 filtered ------