Bypass FortiGate Captive Portal 24 Hours Session limit.

What is it captive portal?

captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication.

What is it Session Timeout?

Session timeout is a fairly popular option that needs to be used carefully. It is used to determine how long a device may remain authenticated before it must perform authentication again.

By default the authentication timeout is set to 5 minutes.

Argus-fw# show full-configuration user setting

The authentication timeout can be changed globally to maximum of 24 hours.

Argus-fw# config user setting
Argus-fw(setting) # set auth-timeout
<timeout_integer>   The auth time-out range is 1-1440 minutes (24 hours)
Argus-fw(Guest-group) # end

Increase session timeout above the 24 hours limit:

But what if you want your users to authenticate to the company’s wifi once in 3 days or a week.

how do you actually bypass the 24 hour limit.

To bypass this limtation you can set authtimeout <timeout> value by Group and not Global.

In group seeting you can Set the value between 1-43200 (or one minute to thirty days).

The default is set to 0, which sets the timeout to use the global authentication (24Hours).

To change group settings :

Argus-fw # config user group
Argus-fw(group) # edit Guest-group
Argus-fw(Guest-group) # set authtimeout
<integer> The auth time-out range is 0-43200 minutes (0 = use global authtimeout value)
Argus-fw (Guest-group) # end

To view the changes:

Argus-fw $ config user group 

Argus-fw (group) $ get Guest\ Group 
name                : Guest Group
group-type          : firewall 
authtimeout         : 43200
auth-concurrent-override: disable 
http-digest-realm   : 
member              : "menit"

Now all you need to do is to assign the group with the new settings, to your WIFI Configuration.

Connect using your FortiGate VPN client with your Active Directory Username and password.

Login to your FW, Under User & Device click on LDAP Servers

Follow the image below and fill in with your domain and user details.

Test Connectivity, if you fill in the fields correctly you will get Success Popup.

Now please create Active Direcoty Group in your AD Server in this example we will call it VPN.

We create this group that only users that will be in this group will be allowed to connect to the VPN.

After we created VPN group and added users to it, we will go back to the FW and create SSLVPN group and assign to it the new VPN AD group that we just created.

Go to User Groups –> Add new group –>Give it a name –> Click on Add

Select your LDAP server and press OK.

After we created this group. lets add some users.

Last Step… you can now connect with your AD username and password using your vpn Client.

%d bloggers like this: