FortiGate

From Social ID Developers
Revision as of 18:19, 24 August 2022 by Francielli.ferreira (Talk | contribs)
Jump to: navigation, search

This guide describes the configuration steps to enable an external captive portal in the Forti AP.

Contents

User & Device

RADIUS Server

Go to User & Device > RADIUS Servers and configure the following options:

  • Name: CoffeeBean-radius-server
  • Authentication Method: Specify
  • Method: PAP
  • IP/Name: The RADIUS IP will depend on your environment/region. You can check the IP for your region at our Captive Portal Configuration Page
  • Primary Shared Secret: Use the Shared Secret provided by CoffeeBean

RADIUS Server.png

User Groups

Go to User & Device > User Groups to create a group. Perform the following settings:

  • Name: CoffeeBean-user-group
  • Type: Firewall
  • Remote groups: Create a new one and configure the following options:
  • Remote Server: CoffeeBean-radius-server
  • Group Name: insert any group name

SSID

Go to WiFi Controller > SSID click on Create New > SSID and setup the following settings:

  • Interface Name: CoffeeBean-guest-ssid
  • Type: WiFi SSID
  • Traffic Mode: Tunnel to Wireless Controller
  • Address: (e.g.: 192.168.30.1/255.255.255.0)
  • Restrict Access: RADIUS Accounting
  • DHCP Server: Ativo
  • SSID: (e.g.: CoffeeBean)
  • Security Mode: Captive Portal Portal
  • Type: Authentication
  • Authentication Portal: External: Enter your captive portal URL (e.g.: https://wifi-staging.socialidnow.com/portals/<portal name>/auth)
  • User Groups: CoffeeBean-user-group
  • Broadcast SSID: Enabled
  • Block Intra-SSID Traffic: Enabled
  • Redirect after Captive Portal: Enter your captive portal URL (e.g.: https://wifi-staging.socialidnow.com/portals/<portal name>)

Policy & Objects

Addresses (Walled Garden)

Go to Policy & Objects > Addresses to setup the Walled Garden. For this settings it is recommended to use DNS. If the controller does not accept the recommended way (DNS), the user can configure using IPs. For each input the following options:

  • Name: Input any name to control what does each IP or DNS means (e.g.: Facebook 1, Facebook 2)
  • Type: FQDN (recommended) or IP/Netmask
  • Subnet / IP range or FQDN: IPs or DNS listed in this page documentation, if FQDN option available. Important: for FQDN entries, it’s necessary to input the complete hostnames (subdomain + domain).
  • Show in Address List: checked
  • Static Route Configuration: unchecked

Address Group

Go to Addresses and click on Create New > Address Group and configure the following options:

  • Category: IPv4 Group
  • Group Name: CoffeeBean-walled-garden
  • Members: [click on “+” button and select all domains previously added]

IPv4 Policy

DNS Policy

Go to IPv4 Policy and click on Create New and configure the following options:

  • Name: DNS
  • Incoming Interface: CoffeeBean-guest-ssid
  • Outgoing Interface: <your WAN connection>
  • Source: all
  • Destination Address: all
  • Schedule: always
  • Service: DNS
  • Action: ACCEPT
  • NAT: enabled
  • Enable this policy: Active

Get the policy ID on the policies list and run the CLI command bellow:

config firewall policy
edit <policy_id>
set captive-portal-exempt enable
end

Policy for Unauthenticated Users

Go to IPv4 Policy and click on Create New and configure the following options:

  • Name: CoffeeBean-unauth-policy
  • Incoming Interface: CoffeeBean-guest-ssid
  • Outgoing Interface: <your WAN connection>
  • Source: all
  • Destination Address: CoffeeBean-walled-garden
  • Schedule: always
  • Service: ALL
  • Action: ACCEPT
  • NAT: enabled
  • Enable this policy: Active

Get the policy ID on the policies list and run the CLI command bellow:

config firewall policy
edit <policy_id>
set captive-portal-exempt enable
end

Policy for Authenticated Users

Go to Policy & Objects > Addresses, configure a new input for the subnet configured on the SSID:

  • Name: CoffeeBean-ssid-address
  • Type: IP/Netmask
  • Subnet / IP Range: (e.g.: 192.168.30.0/255.255.255.0)
  • Interface: any

Go to IPv4 Policy click on Create New and configure the following options:

  • Name: CoffeeBean-auth-policy
  • Incoming Interface: CoffeeBean-guest-ssid
  • Outgoing Interface: <your WAN connection>
  • Source: select CoffeeBean-user-group and CoffeeBean-ssid-address
  • Destination Address: all
  • Schedule: always
  • Service: ALL
  • Action: ACCEPT
  • NAT: enabled
  • Enable this policy: Active

Policies Summary

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox