In this example, wireless users are redirected to a captive portal web page (no matter what URL they enter) that requires them to authenticate before they can access the Internet. The portal page can also contain links to local information such as legal notices, terms of service and so on. This is sometimes called a “walled garden”.
The web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a POST message of the format https://<FGT_IP>:1000/fgtauth with data magic=session_id&username=<username>&password=<password>. (The magic value was provided in the initial FortiGate request to the web server.) The script used for this example is here.
A RADIUS server provides authentication.
1. Add the RADIUS server |
|
| Go to User & Device > Authentication > RADIUS Servers. Define the connection to the RADIUS server. |  |
| Go to User & Device > User > User Groups. Define a firewall user group with the RADIUS server as its only member. |  |
2. Enable HTTPS authentication |
|
| Use the CLI to enable use of HTTPS for authentication so that user credentials are communicated securely. | config user setting set auth-secure-http enabledend |
3. Create the WiFi network |
|
| Go to WiFi Controller > WiFi Network > SSID to create the WiFi SSID. |  |
| Enable DHCP for clients. |  |
|
Configure external captive portal security. Do not include “http://” or “https://” in the captive portal URL. |
 |
4. Create a “walled garden” |
|
| Go to Policy & Objects > Objects > Addresses and create an address for the captive portal. |  |
| Go to Policy & Objects > Policy > IPv4. Create a security policy for unauthenticated users that allows access only to the captive portal. |  |
| In the CLI, enable bypass of the captive portal so that the user can make the initial contact with the external server. |
config firewall policy
edit <policy_id>
set captive-portal-exempt enable
end
Obtain |
5. Create the Internet access security policy |
|
| Go to Policy & Objects > Policy > IPv4. Create a policy to allow authenticated users access to the Internet. |  |
6. Connect and authorize the FortiAP |
|
| Go to System > Network > Interface. Edit an unused interface, making it Dedicated to Extension Device. Connect the FortiAP to this interface and apply power. Go to WiFi Controller > Managed Devices > Managed FortiAPs. Select and authorize the FortiAP. |  |
| Go to WiFi Controller > WiFi Network > FortiAP Profiles. Edit the default profile for your FortiAP model. Enable your SSID for each radio. |  |
ResultsThe WiFi network’s security shows as Open. The device can associate and is assigned an IP address. |
|
|
On the first attempt to browse the Internet, the captive portal screen is displayed. After authentication, the browser can access Internet destinations. |
 |
The post Using an external captive portal for WiFi security appeared first on Fortinet Cookbook.