RADIUS Termination-Action AVP in wired and wireless scenarios
When authenticating with RADIUS in a wired or wireless scenario, the FortiGate can support proper handling of the Termination-Action AVP.
In a wired scenario, a hardware switch configured with 802.1X security authentication can read the Termination-Action attribute value from the RADIUS Access-Accept response. If the Termination-Action is 1, the FortiGate will initiate re-authentication when the session time has expired. During re-authentication, the port stays authorized. If the Termination-Action is 0, the session will be terminated.
In a wireless scenario, when a virtual AP is configured with WPA2-Enterprise security with RADIUS and has CoA enabled, it processes the RADIUS CoA request immediately upon receiving it and re-authenticates when the Termination-Action is 1.
Wired example
This example has a FortiGate configured with a hardware switch with two ports: port3 and port5. The hardware switch is enabled with 802.1X security and assigned to a RADIUS user group. Upon a successful authentication, the RADIUS server responds with an Access-Accept containing the authentication Session-Timeout and Termination-Action attributes. In this example, the Termination-Action value is 1, which informs the client to re-authenticate when the session time expires. During this time, the FortiGate keeps the client/port authorized while it initiates the re-authentication with the RADIUS server.
The message exchange is as follows:
To configure the RADIUS server and the FortiGate to handle the Termination-Action AVP:
- On the RADIUS server, configure the Termination-Action AVP with the value
RADIUS-Request (1)
to indicate that re-authentication should occur upon expiration of the Session-Time. - On the FortiGate, configure the RADIUS server:
config user radius edit "rad1" set server "172.18.60.203" set secret ENC ********** set radius-coa enable config accounting-server edit 1 set status enable set server "172.18.60.203" set secret ENC ********** next end next end
- Configure the RADIUS user group:
config user group edit "group_radius" set member "rad1" next end
- Configure the hardware switch with 802.1X enabled.
- Configure the virtual switch settings:
config system virtual-switch edit hw2 set physical-switch "sw0" config port edit port3 next edit port5 next end next end
- Configure the interface settings:
config system interface edit hw2 set vdom vdom1 set ip 6.6.6.1 255.255.255.0 set allowaccess ping https ssh set stp enable set security-mode 802.1X set security-groups "group_radius" next end WARNING: Changing 802.1X could interrupt network connectivity on affected interfaces. Do you want to continue? (y/n)y
- Configure the virtual switch settings:
- On the client device, initiate 802.1X authentication, then verify that the switch port shows as authorized:
# diagnose sys 802-1x status Virtual switch 'hw2' (default mode) 802.1x member status: port3: Link up, 802.1X state: unauthorized port5: Link up, 802.1X state: authorized
- After successful authentication, wait for the session to timeout.
- The FortiGate will keep the 802.1X port authenticated, and initiate re-authentication with the same Acct-Session-Id to the RADIUS server. The 802.1X status of the port remains unchanged:
# diagnose sys 802-1x status Virtual switch 'hw2' (default mode) 802.1x member status: port3: Link up, 802.1X state: unauthorized port5: Link up, 802.1X state: authorized
Wireless example
In this example, a virtual AP is configured with WPA2-Enterprise security with RADIUS and has CoA enabled. After a wireless user authenticates and connects to the wireless SSID, the RADIUS server triggers a CoA event with AVPs Session-timeout and a Termination-Action of 1. This signals the FortiGate to trigger re-authentication of the client, which the client immediately performs to stay connected to the wireless SSID.
The message exchange is as follows:
To configure the FortiGate to handle the Termination-Action AVP:
- Configure the RADIUS server:
config user radius edit "peap" set server "172.16.200.55" set secret ********** set radius-coa enable next end
- Configure the VAP:
config wireless-controller vap edit "wifi" set ssid "FWF-60F-coa" set security wpa2-only-enterprise set auth radius set radius-server "peap" set schedule "always" next end
- Verify that the wireless station connects to the SSID:
# diagnose wireless-controller wlac -d sta online vf=0 wtp=1 rId=1 wlan=wifi vlan_id=0 ip=10.10.80.2 ip6=:: mac=**:**:**:**:**:** vci= host=wifi-qa-01 user=test1 group=group1 signal=-28 noise=-95 idle=1 bw=0 use=6 chan=149 radio_type=11AC security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2
- From the RADIUS server, manually trigger a RADIUS CoA event.
- RADIUS CoA sent to the FortiGate:
Sent CoA-Request Id 7 from 0.0.0.0:54158 to 172.16.200.201:3799 length 39 User-Name = "test1" Session-Timeout = 120 Termination-Action = RADIUS-Request
- RADIUS CoA-ACK received from the FortiGate:
Received CoA-ACK Id 7 from 172.16.200.201:3799 to 0.0.0.0:0 length 44 Event-Timestamp = "Jan 5 2022 14:43:12 PST" Message-Authenticator = 0x3311ba3b763d68da653ab34351b0308
- RADIUS CoA sent to the FortiGate:
- On the wireless station console, verify that the re-authentication happens immediately:
root@wifi-qa-01:/home/wpa-test# wlan1: CTRL-EVENT-EAP-STARTED EAP authentication started wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlan1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed wlan1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully wlan1: PMKSA-CACHE-REMOVED **:**:**:**:**:** 0 wlan1: PMKSA-CACHE-ADDED **:**:**:**:**:** 0 wlan1: WPA: Key negotiation completed with **:**:**:**:**:** [PTK=CCMP GTK=CCMP]