Support RADIUS accounting interim update on roaming for WPA Enterprise security 7.4.2
This enhancement adds a CLI option to support accounting interim updates on SSIDs using RADIUS authentication with a WPA Enterprise security mode. This accounting message resolves compatibility issues with Cisco's Identity Services Engine (ISE) session stitching feature. When a Wi-Fi station roams between FortiAPs, the FortiGate creates an "Interim-Update" accounting message with the same "Acct-Session-Id" value to avoid interrupting the ISE session.
CLI Changes:
config wireless-controller vap edit <name> set security wpa2-only-enterprise set roaming-acct-interim-update enable next end
Note that roaming-acct-interim-update
can only be enabled when the security mode is set to a WPA Enterprise type.
Example Topology:
To enable roaming account interim updates - CLI:
-
Create a RADIUS server with an accounting server:
config user radius edit "peap" set server "172.18.56.104" set secret ENC set nas-ip 192.168.1.10 set nas-id-type custom set nas-id "FWF-61F-AUTH" set acct-interim-interval 300 set radius-coa enable set password-renewal disable config accounting-server edit 1 set status enable set server "172.18.56.104" set secret ENC next end next end
-
Create a WPA2-Enterprise SSID with the authentication method set to
radius
and the radius server set to the example you previously configured (peap
).config wireless-controller vap edit "wifi4" set ssid "FOS_61F_ENT" set security wpa2-only-enterprise set auth radius set radius-server "peap" set schedule "always" next end
-
Enable
roaming-acct-interim-update
.config wireless-controller vap edit "wifi4" set ssid "FOS_61F_ENT" set security wpa2-only-enterprise set auth radius set radius-server "peap" set schedule "always" set roaming-acct-interim-update enable next end
-
Apply this SSID to the FortiAPs you want to roam between.
To verify that roaming account interim updates are successful:
-
Connect a Wi-Fi client to one FortiAP (FAP23JF) and check the
Acct-Status-Type
isStart
. Take note of theAcct-Session-Id
value (653FE2DC00000003
).Mon Oct 30 10:17:45 2023 Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = "tester" NAS-IP-Address = 192.168.1.10 NAS-Identifier = "FWF-61F-AUTH" Called-Station-Id = "E0-23-FF-B2-15-48:FOS_61F_ENT" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User NAS-Port = 1 Fortinet-SSID = "FOS_61F_ENT" Fortinet-AP-Name = "FP23JFTF20000015" Calling-Station-Id = "5C-1B-F4-89-F4-36" Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AX_5G" Acct-Session-Id = "653FE2DC00000003"
-
Let the Wi-Fi client roam to a different FortiAP (FAP223E) and verify that the
Acct-Status-Type
isInterim-Update
and that theAcct-Session-Id
value remains the same as before ((653FE2DC00000003
).Mon Oct 30 10:36:37 2023 Acct-Status-Type = Interim-Update Acct-Authentic = RADIUS User-Name = "tester" NAS-IP-Address = 192.168.1.10 NAS-Identifier = "FWF-61F-AUTH" Called-Station-Id = "E8-1C-BA-9E-5D-98:FOS_61F_ENT" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User NAS-Port = 1 Fortinet-SSID = "FOS_61F_ENT" Fortinet-AP-Name = "DESK-223E" Calling-Station-Id = "5C-1B-F4-89-F4-36" Connect-Info = "CONNECT 0/0Mbps(Tx/Rx) 11AC" Acct-Session-Id = "653FE2DC00000003"