Configuring FortiGate with FortiConnect as External Captive Portal
1
FortiConnect can be configured as the external captive portal for authenticated internet access in a FortiGate deployment. This document focuses on the configurations required on the FortiGate controller and FortiConnect to form a seamless conjunction.
This document describes configurations ONLY for wireless guest access. For wired guest access, you need to create a VLAN interface on your FortiGate and configure it to use a Captive Portal as per the procedure described in this document and have that wired VLAN available as an untagged/access VLAN on the guest device switch port.
2
Before You Begin Ensure the following pre-requisites are fulfilled prior to configuring your setup.
Connect to the FortiGate and verify that the access points are discovered by the Controller and are operational in the Online state. Navigate to WiFi & Switch Controller > Managed FortiAPs.
The FortiAP profile is created and applied to the access point on the FortiGate. The FortiConnect setup is installed and complete. Valid PKI certificates are installed to prevent certificate errors on client devices. Create an address object for FortiConnect.
Create an address object for your DNS server hosting the FQDN for FortiConnect.
3
4
Configuring FortiGate Complete these configurations on the FortiGate user interface.
Configuring the RADIUS Server Navigate to User & Device > RADIUS Servers; click Create New and populate the configuration page as per your network requirements. The following configurations are mandatory:
Name – Specify the name of the FortiConnect. NAS IP – Specify the FortiGate interface IP address used to communicate with FortiConnect. If RADIUS accounting is required, use the following commands: config user radius edit FortiConnect set server 10.1.10.5
5
6
Configuring the Remote Guest User Group Create a new remote user group and assign FortiConnect as the authentication platform.
Navigate to User & Device > User Groups; click Create New and populate the configuration page as per your network requirements. The following configurations are mandatory:
Name- A unique name for the user group.
Type – Select Firewall for authentication.
Remote Groups - Click +Add and select RADIUS server created in Configuring the RADIUS Server.
7
Configuring the Wireless Interface Configure SSID and Captive Portal authentication.
Navigate to WiFi & Switch Controller > SSID; click Create New and populate the configuration page as per your network requirements. The following configurations are mandatory:
Interface Name – Specify the name of the SSID interface.
Type – Select WiFi SSID.
Traffic Mode – Select Tunnel.
IP/Network Mask – Specify the IP address and netmask for the SSID.
Enable DHCP Server and retain the default address range.
Configure the following WiFi Settings for the captive portal. SSID - Specify the SSID. Security Mode - Select the Captive Portal security mode for the wireless interface. 8
Portal Type - Select Authentication as the captive portal type. Authentication Portal – Complete the FortiConnect setup in Configuring FortiConnect before proceeding further.
Specify the FQDN or IP address of the FortiConnect. Enter the steering/redirection URL obtained from FortiConnect in the following formats: connect.fortixpert.com/portal/
OR
The external portal URL requires you to remove the https:// prefix. User Groups - Select permitted user groups for captive portal authentication; select the user group created in Configuring the Remote Guest User Group. Exempt Destinations/Devices – Specify FortiConnect address object and the DNS service.
9
Configuring Outgoing Policies Create an outbound IPV4 policy for Guest Portal access. Create another outbound access to the internet once authenticated via the Captive Portal
Guest Portal Policy Navigate to Policies & Object > IPv4 Policy; click Create New and populate the configuration page as per your network requirements. The following configurations are mandatory:
Name - Specify the name of the policy.
Incoming Interface - Select the SSID created in Configuring the Wireless Interface.
Outgoing interface - Select the interface facing FortiConnect.
Source - Select all as the source of the initiating traffic.
Destination - Select the DNS-Server and FortiConnect address objects.
Service - Select DNS, HTTP and HTTPS.
Disable NAT.
10
Login into the FortiGate CLI console and run the following commands to allow access to the external FortiConnect Captive Portal page.
config firewall policy edit
Internet Access Policy Navigate to Policies & Object > IPv4 Policy; click Create New and populate the configuration page as per your network requirements. The following configurations are mandatory:
Name - Specify the name of the policy.
Incoming Interface - Select the SSID created in Configuring the Wireless Interface.
Outgoing interface - Select the interface facing the internet.
Source - Select all and the user group created in Configuring the Remote Guest User Group as the source of the initiating traffic.
Destination - Select All as the destination parameter.
11
Configuring FortiConnect Login into the FortiConnect portal using the FortiConnect IP address or FQDN - https://[FortiConnect FQDN]/admin OR https://[FortiConnect IP address]/admin
Configuring FortiGate as the RADIUS client Navigate to Devices > RADIUS Clients; click Add RADIUS Client and populate the configuration page as per your network requirements. The following configurations are mandatory:
Name – Specify the name of the FortiGate appliance.
Device IP Address – Specify the FortiGate IP address (Guest address that communicates with FortiGate).
Secret – Specify the same shared secret configured for the RADIUS server on FortiGate.
Type – Select FortiGate.
Change of Authorization – Select Use CoA and Proxy CoA.
12
Obtaining Captive Portal Steering Path Navigate to Guest Portals > Portals and modify the Default login portal settings to as per your requirements.
On the Portal Policy > Redirection page, click Next to obtain the steering/redirection URL. The redirection URL is the external address for the captive portal and is available in the format - https://[FORTICONNECT FQDN]/portal/login/[NAS-IP address].
Examples https://connect.fortixpert.com/portal/login/10.1.10.1 OR https://connect.fortixpert.com/portal/10.1.10.1
An FQDN and a valid PKI web server certificate must be implemented on FortiConnect to avoid certificate errors when user devices connect to the Captive Portal. The redirection path includes the specific portal name. If you have multiple portals configured and want to use rules to direct users to different portals. You need to remove the specific portal name from the redirection URL, that is, https://connect.fortixpert.com/portal/10.0.1.20.
13
Configuring Authentication Server FortiConnect can be used as a user database. Users can be provisioned through the Sponsor Portal (https://connect.fortixpert.com/sponsor) or self-provisioned by a guest only if the Guest Portal is configured to support this functionality.
Alternatively, a third party user database can be selected. To use a third party user database, navigate to Network Access Policy > Authentication Policy and click on Add Server, select an authentication server type and follow the wizard through to completion.
14
Validating User Access To test and validate the success of the setup connect to the guest WiFi network from a wireless enabled device; the guest portal should load within seconds.
1. [If using guest self-sign-on] Update the Self Service section and click Generate Account. Note down your login details. 2. [If using guest self-sign-on] Click the login button to go back to the portal Login screen, enter your login details and you should now be on the guest Wi-Fi network and have access to the internet.
In the FortiGate GUI, navigate to Log & Report > Monitor > Firewall User Monitor and verify that the guest has logged in.
You can also monitor the user at Log & Report > Monitor > WiFi Client Monitor.
15