Scribd
Upload
377 views

Configuring Fortigate With Forticonnect As External Captive Portal

The document describes how to configure FortiGate with FortiConnect as an external captive portal to provide authenticated wireless guest access. Key steps include: 1. Configuring the FortiGate RADIUS server and creating a remote guest user group using FortiConnect for authentication. 2. Configuring the wireless SSID interface for the captive portal using the FortiConnect URL and guest user group. 3. Creating firewall policies to allow guest portal access and full internet access once authenticated. 4. Configuring FortiConnect and obtaining the redirection URL to integrate it with the FortiGate captive portal configuration.

Uploaded by

ramadhian89
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
377 views

Configuring Fortigate With Forticonnect As External Captive Portal

The document describes how to configure FortiGate with FortiConnect as an external captive portal to provide authenticated wireless guest access. Key steps include: 1. Configuring the FortiGate RADIUS server and creating a remote guest user group using FortiConnect for authentication. 2. Configuring the wireless SSID interface for the captive portal using the FortiConnect URL and guest user group. 3. Creating firewall policies to allow guest portal access and full internet access once authenticated. 4. Configuring FortiConnect and obtaining the redirection URL to integrate it with the FortiGate captive portal configuration.

Uploaded by

ramadhian89
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Configuring FortiGate with FortiConnect as External

Captive Portal

1
FortiConnect can be configured as the external captive portal for authenticated
internet access in a FortiGate deployment. This document focuses on the
configurations required on the FortiGate controller and FortiConnect to form a
seamless conjunction.

This document describes configurations ONLY for wireless guest access. For
wired guest access, you need to create a VLAN interface on your FortiGate and
configure it to use a Captive Portal as per the procedure described in this
document and have that wired VLAN available as an untagged/access VLAN on
the guest device switch port.

2
Before You Begin
Ensure the following pre-requisites are fulfilled prior to configuring your setup.

 Connect to the FortiGate and verify that the access points are discovered by
the Controller and are operational in the Online state. Navigate to WiFi &
Switch Controller > Managed FortiAPs.

The FortiAP profile is created and applied to the access point on the
FortiGate.
 The FortiConnect setup is installed and complete.
 Valid PKI certificates are installed to prevent certificate errors on client
devices.
 Create an address object for FortiConnect.

 Create an address object for your DNS server hosting the FQDN for
FortiConnect.

3
4
Configuring FortiGate
Complete these configurations on the FortiGate user interface.

Configuring the RADIUS Server


Navigate to User & Device > RADIUS Servers; click Create New and populate
the configuration page as per your network requirements. The following
configurations are mandatory:

 Name – Specify the name of the FortiConnect.


 NAS IP – Specify the FortiGate interface IP address used to communicate
with FortiConnect.
If RADIUS accounting is required, use the following commands:
 config user radius
 edit FortiConnect
 set server 10.1.10.5 <FortiConnect IP address>
 set secret xxxxxxxxxx
 set nas-ip X.X.X.X <FortiGate Interface IP> (used to communicate with
FortiConnect)
 set acct-all-servers enable (enables RADIUS accounting)
 set acct-interim-interval (configures time between each accounting
interim update message)
 Primary Server – Specify the name or IP address of FortiConnect.
 Secret – Specify the shared secret to communicate with the server.

5
6
Configuring the Remote Guest User Group
Create a new remote user group and assign FortiConnect as the authentication
platform.

Navigate to User & Device > User Groups; click Create New and populate the
configuration page as per your network requirements. The following
configurations are mandatory:

 Name- A unique name for the user group.

 Type – Select Firewall for authentication.

 Remote Groups - Click +Add and select RADIUS server created in


Configuring the RADIUS Server.

7
Configuring the Wireless Interface
Configure SSID and Captive Portal authentication.

Navigate to WiFi & Switch Controller > SSID; click Create New and populate
the configuration page as per your network requirements. The following
configurations are mandatory:

 Interface Name – Specify the name of the SSID interface.

 Type – Select WiFi SSID.

 Traffic Mode – Select Tunnel.

 IP/Network Mask – Specify the IP address and netmask for the SSID.

 Enable DHCP Server and retain the default address range.

Configure the following WiFi Settings for the captive portal.


 SSID - Specify the SSID.
 Security Mode - Select the Captive Portal security mode for the wireless
interface.
8
 Portal Type - Select Authentication as the captive portal type.
 Authentication Portal – Complete the FortiConnect setup in Configuring
FortiConnect before proceeding further.

Specify the FQDN or IP address of the FortiConnect. Enter the


steering/redirection URL obtained from FortiConnect in the following formats:
 connect.fortixpert.com/portal/<DEVICEIP = RADIUS NAS-IP>
Example: connect.fortixpert.com/portal/<10.1.10.1>

OR
 <FortiConnect_IP>/portal/<FortiGate_NAS_IP>
Example: <10.1.10.5>/portal/<10.1.10.1>

The external portal URL requires you to remove the https:// prefix.
 User Groups - Select permitted user groups for captive portal
authentication; select the user group created in Configuring the Remote
Guest User Group.
 Exempt Destinations/Devices – Specify FortiConnect address object and
the DNS service.

9
Configuring Outgoing Policies
Create an outbound IPV4 policy for Guest Portal access. Create another
outbound access to the internet once authenticated via the Captive Portal

Guest Portal Policy


Navigate to Policies & Object > IPv4 Policy; click Create New and populate the
configuration page as per your network requirements. The following
configurations are mandatory:

 Name - Specify the name of the policy.

 Incoming Interface - Select the SSID created in Configuring the Wireless


Interface.

 Outgoing interface - Select the interface facing FortiConnect.

 Source - Select all as the source of the initiating traffic.

 Destination - Select the DNS-Server and FortiConnect address objects.

 Service - Select DNS, HTTP and HTTPS.

 Disable NAT.

10
Login into the FortiGate CLI console and run the following commands to allow
access to the external FortiConnect Captive Portal page.

 config firewall policy


 edit <New Guest Portal Policy ID>
 set captive-portal-exempt enable
 end

Internet Access Policy


Navigate to Policies & Object > IPv4 Policy; click Create New and populate the
configuration page as per your network requirements. The following
configurations are mandatory:

 Name - Specify the name of the policy.

 Incoming Interface - Select the SSID created in Configuring the Wireless


Interface.

 Outgoing interface - Select the interface facing the internet.

 Source - Select all and the user group created in Configuring the Remote
Guest User Group as the source of the initiating traffic.

 Destination - Select All as the destination parameter.

11
Configuring FortiConnect
Login into the FortiConnect portal using the FortiConnect IP address or FQDN -
https://[FortiConnect FQDN]/admin OR https://[FortiConnect IP address]/admin

Configuring FortiGate as the RADIUS client


Navigate to Devices > RADIUS Clients; click Add RADIUS Client and populate
the configuration page as per your network requirements. The following
configurations are mandatory:

 Name – Specify the name of the FortiGate appliance.

 Device IP Address – Specify the FortiGate IP address (Guest address that


communicates with FortiGate).

 Secret – Specify the same shared secret configured for the RADIUS server
on FortiGate.

 Type – Select FortiGate.

 Change of Authorization – Select Use CoA and Proxy CoA.

12
Obtaining Captive Portal Steering Path
Navigate to Guest Portals > Portals and modify the Default login portal
settings to as per your requirements.

On the Portal Policy > Redirection page, click Next to obtain the
steering/redirection URL. The redirection URL is the external address for the
captive portal and is available in the format - https://[FORTICONNECT
FQDN]/portal/login/[NAS-IP address].

Examples
 https://connect.fortixpert.com/portal/login/10.1.10.1
OR
 https://connect.fortixpert.com/portal/10.1.10.1

 An FQDN and a valid PKI web server certificate must be implemented on


FortiConnect to avoid certificate errors when user devices connect to the
Captive Portal.
 The redirection path includes the specific portal name. If you have multiple
portals configured and want to use rules to direct users to different portals.
You need to remove the specific portal name from the redirection URL, that
is, https://connect.fortixpert.com/portal/10.0.1.20.

13
Configuring Authentication Server
FortiConnect can be used as a user database. Users can be provisioned through
the Sponsor Portal (https://connect.fortixpert.com/sponsor) or self-provisioned
by a guest only if the Guest Portal is configured to support this functionality.

Alternatively, a third party user database can be selected. To use a third party
user database, navigate to Network Access Policy > Authentication Policy and
click on Add Server, select an authentication server type and follow the wizard
through to completion.

14
Validating User Access
To test and validate the success of the setup connect to the guest WiFi network
from a wireless enabled device; the guest portal should load within seconds.

1. [If using guest self-sign-on] Update the Self Service section and click
Generate Account. Note down your login details.
2. [If using guest self-sign-on] Click the login button to go back to the portal
Login screen, enter your login details and you should now be on the guest
Wi-Fi network and have access to the internet.

In the FortiGate GUI, navigate to Log & Report > Monitor > Firewall User Monitor
and verify that the guest has logged in.

You can also monitor the user at Log & Report > Monitor > WiFi Client Monitor.

15

You might also like