Skip to main content

Fortinet FortiGate

The Fortinet adapter uses standard RADIUS Change of Authorization (CoA) and Disconnect-Message (DM) per RFC 5176 to terminate guest WiFi sessions. FortiGate firewalls have generally good RFC 5176 compliance.

Prerequisites

  • FortiOS 6.4 or later.
  • A RADIUS CoA shared secret configured on the FortiGate (can differ from the RADIUS authentication secret).
  • UDP port 3799 open from the Atrium Agent to the FortiGate.

FortiGate configuration

  1. Enable CoA on the RADIUS server entry: In FortiOS, navigate to User & Authentication → RADIUS Servers. On the entry that points to the Atrium Agent, enable CoA and set the CoA secret.

  2. Ensure the FortiGate accepts CoA/DM on port 3799: This is typically enabled by default when CoA is configured on the RADIUS server entry. Verify with:

    diagnose test authserver radius-coa status

  3. Configure Accounting: Ensure the guest WiFi policy sends RADIUS Accounting to the Atrium Agent (port 1813). The Agent needs Accounting data for IP-to-session mapping, which is required for targeted session termination.

Agent configuration

VariableValue
FIREWALL_ADAPTERfortinet
FIREWALL_HOSTIP of the FortiGate
FIREWALL_COA_SECRETThe CoA shared secret configured on the FortiGate
FIREWALL_COA_PORT3799 (default)

How termination works

When a visit ends, the adapter sends a RADIUS Disconnect-Message to the FortiGate containing the session identifiers (Acct-Session-Id, User-Name, NAS-IP-Address). The FortiGate terminates the matching session and responds with a Disconnect-ACK.

If the FortiGate cannot find the session (already timed out, or session identifiers don't match), it responds with a Disconnect-NAK. This is logged as a termination failure but is usually benign — the session is already gone.

Troubleshooting

IssuePossible cause
No response to DMPort 3799 blocked between Agent and FortiGate, or CoA not enabled.
Disconnect-NAKSession identifiers don't match. Verify RADIUS Accounting is configured and the Agent has the session's Acct-Session-Id.
CoA secret mismatchThe shared secret on the Agent doesn't match the FortiGate. DM messages are silently dropped.
Session persists after DM-ACKFortiGate acknowledged the disconnect but the session remains. Check FortiOS session table (diag sys session list). May require a firmware update.