Fortinet black logo

New Features

7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Support RADIUS accounting interim update on roaming for WPA Enterprise security 7.4.2

Support RADIUS accounting interim update on roaming for WPA Enterprise security 7.4.2

This enhancement adds a CLI option to support accounting interim updates on SSIDs using RADIUS authentication with a WPA Enterprise security mode. This accounting message resolves compatibility issues with Cisco's Identity Services Engine (ISE) session stitching feature. When a Wi-Fi station roams between FortiAPs, the FortiGate creates an "Interim-Update" accounting message with the same "Acct-Session-Id" value to avoid interrupting the ISE session.

CLI Changes:
config wireless-controller vap
    edit <name>
      set security wpa2-only-enterprise
      set roaming-acct-interim-update enable
    next
end

Note that roaming-acct-interim-update can only be enabled when the security mode is set to a WPA Enterprise type.

Example Topology:

To enable roaming account interim updates - CLI:

  1. Create a RADIUS server with an accounting server:

    config user radius
  edit "peap"
    set server "172.18.56.104"
      set secret ENC
      set nas-ip 192.168.1.10
      set nas-id-type custom
      set nas-id "FWF-61F-AUTH"
      set acct-interim-interval 300
      set radius-coa enable
      set password-renewal disable
      config accounting-server
        edit 1
          set status enable
          set server "172.18.56.104"
          set secret ENC
      next
    end
  next
end

  2. Create a WPA2-Enterprise SSID with the authentication method set to radius and the radius server set to the example you previously configured (peap).

    config wireless-controller vap
  edit "wifi4"
    set ssid "FOS_61F_ENT"
    set security wpa2-only-enterprise
    set auth radius
    set radius-server "peap"
    set schedule "always"
  next
end

  3. Enable roaming-acct-interim-update.

    config wireless-controller vap
  edit "wifi4"
    set ssid "FOS_61F_ENT"
    set security wpa2-only-enterprise
    set auth radius
    set radius-server "peap"
    set schedule "always"
    set roaming-acct-interim-update enable
  next
end

  4. Apply this SSID to the FortiAPs you want to roam between.

To verify that roaming account interim updates are successful:

  1. Connect a Wi-Fi client to one FortiAP (FAP23JF) and check the Acct-Status-Type is Start. Take note of the Acct-Session-Id value (653FE2DC00000003).

    Mon Oct 30 10:17:45 2023
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Name = "tester"
NAS-IP-Address = 192.168.1.10
NAS-Identifier = "FWF-61F-AUTH"
Called-Station-Id = "E0-23-FF-B2-15-48:FOS_61F_ENT"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
NAS-Port = 1
Fortinet-SSID = "FOS_61F_ENT"
Fortinet-AP-Name = "FP23JFTF20000015"
Calling-Station-Id = "5C-1B-F4-89-F4-36"
Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AX_5G"
Acct-Session-Id = "653FE2DC00000003"

  2. Let the Wi-Fi client roam to a different FortiAP (FAP223E) and verify that the Acct-Status-Type is Interim-Update and that the Acct-Session-Id value remains the same as before ((653FE2DC00000003).

    Mon Oct 30 10:36:37 2023
Acct-Status-Type = Interim-Update
Acct-Authentic = RADIUS
User-Name = "tester"
NAS-IP-Address = 192.168.1.10
NAS-Identifier = "FWF-61F-AUTH"
Called-Station-Id = "E8-1C-BA-9E-5D-98:FOS_61F_ENT"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
NAS-Port = 1
Fortinet-SSID = "FOS_61F_ENT"
Fortinet-AP-Name = "DESK-223E"
Calling-Station-Id = "5C-1B-F4-89-F4-36"
Connect-Info = "CONNECT 0/0Mbps(Tx/Rx) 11AC"
Acct-Session-Id = "653FE2DC00000003"
Previous
Next

Support RADIUS accounting interim update on roaming for WPA Enterprise security 7.4.2

This enhancement adds a CLI option to support accounting interim updates on SSIDs using RADIUS authentication with a WPA Enterprise security mode. This accounting message resolves compatibility issues with Cisco's Identity Services Engine (ISE) session stitching feature. When a Wi-Fi station roams between FortiAPs, the FortiGate creates an "Interim-Update" accounting message with the same "Acct-Session-Id" value to avoid interrupting the ISE session.

CLI Changes:
config wireless-controller vap
    edit <name>
      set security wpa2-only-enterprise
      set roaming-acct-interim-update enable
    next
end

Note that roaming-acct-interim-update can only be enabled when the security mode is set to a WPA Enterprise type.

Example Topology:

To enable roaming account interim updates - CLI:

  1. Create a RADIUS server with an accounting server:

    config user radius
  edit "peap"
    set server "172.18.56.104"
      set secret ENC
      set nas-ip 192.168.1.10
      set nas-id-type custom
      set nas-id "FWF-61F-AUTH"
      set acct-interim-interval 300
      set radius-coa enable
      set password-renewal disable
      config accounting-server
        edit 1
          set status enable
          set server "172.18.56.104"
          set secret ENC
      next
    end
  next
end

  2. Create a WPA2-Enterprise SSID with the authentication method set to radius and the radius server set to the example you previously configured (peap).

    config wireless-controller vap
  edit "wifi4"
    set ssid "FOS_61F_ENT"
    set security wpa2-only-enterprise
    set auth radius
    set radius-server "peap"
    set schedule "always"
  next
end

  3. Enable roaming-acct-interim-update.

    config wireless-controller vap
  edit "wifi4"
    set ssid "FOS_61F_ENT"
    set security wpa2-only-enterprise
    set auth radius
    set radius-server "peap"
    set schedule "always"
    set roaming-acct-interim-update enable
  next
end

  4. Apply this SSID to the FortiAPs you want to roam between.

To verify that roaming account interim updates are successful:

  1. Connect a Wi-Fi client to one FortiAP (FAP23JF) and check the Acct-Status-Type is Start. Take note of the Acct-Session-Id value (653FE2DC00000003).

    Mon Oct 30 10:17:45 2023
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Name = "tester"
NAS-IP-Address = 192.168.1.10
NAS-Identifier = "FWF-61F-AUTH"
Called-Station-Id = "E0-23-FF-B2-15-48:FOS_61F_ENT"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
NAS-Port = 1
Fortinet-SSID = "FOS_61F_ENT"
Fortinet-AP-Name = "FP23JFTF20000015"
Calling-Station-Id = "5C-1B-F4-89-F4-36"
Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AX_5G"
Acct-Session-Id = "653FE2DC00000003"

  2. Let the Wi-Fi client roam to a different FortiAP (FAP223E) and verify that the Acct-Status-Type is Interim-Update and that the Acct-Session-Id value remains the same as before ((653FE2DC00000003).

    Mon Oct 30 10:36:37 2023
Acct-Status-Type = Interim-Update
Acct-Authentic = RADIUS
User-Name = "tester"
NAS-IP-Address = 192.168.1.10
NAS-Identifier = "FWF-61F-AUTH"
Called-Station-Id = "E8-1C-BA-9E-5D-98:FOS_61F_ENT"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
NAS-Port = 1
Fortinet-SSID = "FOS_61F_ENT"
Fortinet-AP-Name = "DESK-223E"
Calling-Station-Id = "5C-1B-F4-89-F4-36"
Connect-Info = "CONNECT 0/0Mbps(Tx/Rx) 11AC"
Acct-Session-Id = "653FE2DC00000003"
Previous
Next