Fortinet FortiGate
The Fortinet adapter uses standard RADIUS Change of Authorization (CoA) and Disconnect-Message (DM) per RFC 5176 to terminate guest WiFi sessions. FortiGate firewalls have generally good RFC 5176 compliance.
Prerequisites
- FortiOS 6.4 or later.
- A RADIUS CoA shared secret configured on the FortiGate (can differ from the RADIUS authentication secret).
- UDP port 3799 open from the Atrium Agent to the FortiGate.
FortiGate configuration
-
Enable CoA on the RADIUS server entry: In FortiOS, navigate to User & Authentication → RADIUS Servers. On the entry that points to the Atrium Agent, enable CoA and set the CoA secret.
-
Ensure the FortiGate accepts CoA/DM on port 3799: This is typically enabled by default when CoA is configured on the RADIUS server entry. Verify with:
diagnose test authserver radius-coa status -
Configure Accounting: Ensure the guest WiFi policy sends RADIUS Accounting to the Atrium Agent (port 1813). The Agent needs Accounting data for IP-to-session mapping, which is required for targeted session termination.
Agent configuration
| Variable | Value |
|---|---|
FIREWALL_ADAPTER | fortinet |
FIREWALL_HOST | IP of the FortiGate |
FIREWALL_COA_SECRET | The CoA shared secret configured on the FortiGate |
FIREWALL_COA_PORT | 3799 (default) |
How termination works
When a visit ends, the adapter sends a RADIUS Disconnect-Message to the FortiGate containing the session identifiers (Acct-Session-Id, User-Name, NAS-IP-Address). The FortiGate terminates the matching session and responds with a Disconnect-ACK.
If the FortiGate cannot find the session (already timed out, or session identifiers don't match), it responds with a Disconnect-NAK. This is logged as a termination failure but is usually benign — the session is already gone.
Troubleshooting
| Issue | Possible cause |
|---|---|
| No response to DM | Port 3799 blocked between Agent and FortiGate, or CoA not enabled. |
| Disconnect-NAK | Session identifiers don't match. Verify RADIUS Accounting is configured and the Agent has the session's Acct-Session-Id. |
| CoA secret mismatch | The shared secret on the Agent doesn't match the FortiGate. DM messages are silently dropped. |
| Session persists after DM-ACK | FortiGate acknowledged the disconnect but the session remains. Check FortiOS session table (diag sys session list). May require a firmware update. |