Firewall Adapters
When a visit ends in Atrium, the system doesn't just revoke the WiFi credentials — it actively terminates the visitor's live network sessions on the firewall. This is handled by firewall adapters: vendor-specific modules in the Atrium Agent that know how to communicate with each firewall type.
Why adapters exist
The industry standard for session termination is RFC 5176 — it defines two RADIUS messages for this purpose:
- Change of Authorization (CoA) — Changes a session's attributes (e.g., move it to a quarantine VLAN).
- Disconnect-Message (DM) — Terminates a session immediately.
In theory, every RFC 5176-compliant firewall should respond to CoA/DM the same way. In practice, vendor implementations differ significantly: some support DM but not CoA, some require additional vendor-specific attributes, some only support session termination via their proprietary REST API, and some have implementation quirks that require workarounds.
Atrium handles this by using an adapter pattern: a common interface for session termination, with a concrete implementation per firewall vendor that knows the specific protocol and quirks.
Supported firewalls
| Vendor | Model | Termination method |
|---|---|---|
| Palo Alto | PAN-OS | REST API (XML API) |
| Fortinet | FortiGate | CoA/DM (RFC 5176) |
| Cisco | ISE / WLC | CoA/DM (RFC 5176) with Cisco VSAs |
| Sophos | XG / XGS | REST API |
Each vendor has a dedicated configuration page with setup instructions:
Best-effort termination
Session termination is inherently best-effort. Atrium sends the disconnect command and tracks the result, but it cannot guarantee the firewall will comply:
- The firewall might be temporarily unreachable.
- The CoA/DM message might be dropped (UDP is connectionless).
- The firewall might acknowledge the message but not actually terminate the session.
- The session might have already ended naturally.
When termination fails, Atrium:
- Logs the failure with details (adapter type, error, session information).
- Reports the failure to the admin dashboard.
- Does not retry automatically (a failed termination often indicates a configuration or connectivity issue that won't resolve on its own).
The visitor's credentials are revoked regardless — even if the active session persists, the visitor can't establish new connections. The session will eventually time out via the firewall's own session timeout.
Configuring an adapter
Firewall adapter configuration is per site, set up during Agent deployment. The configuration includes:
- Adapter type — Which vendor/protocol to use.
- Firewall address — IP or hostname of the firewall management interface.
- Credentials — API key (for REST APIs) or CoA shared secret (for RFC 5176).
- Port — CoA/DM port (default: 3799) or API port.
See the vendor-specific pages for detailed configuration instructions.