FortiGate 30E
This guide describes the configuration steps to enable an external captive portal in the Forti AP.
Contents |
User & Device
RADIUS Server
Go to User & Device > RADIUS Servers and configure the following options:
- Name: CoffeeBean-radius-server
- Authentication Method: Specify
- Method: PAP
- IP/Name: The RADIUS IP will depend on your environment/region. You can check the IP for your region at our Captive Portal Configuration Page
- Primary Shared Secret: Use the Shared Secret provided by CoffeeBean
User Groups
Go to User & Device > User Groups to create a group. Perform the following settings:
- Name: CoffeeBean-user-group
- Type: Firewall
- Remote groups: Create a new one and configure the following options:
- Remote Server: CoffeeBean-radius-server
- Group Name: insert any group name
SSID
Go to WiFi Controller > SSID click on Create New > SSID and setup the following settings:
- Interface Name: CoffeeBean-guest-ssid
- Type: WiFi SSID
- Traffic Mode: Tunnel to Wireless Controller
- Address: (e.g.: 192.168.30.1/255.255.255.0)
- Restrict Access: RADIUS Accounting
- DHCP Server: Ativo
- SSID: (e.g.: CoffeeBean)
- Security Mode: Captive Portal Portal
- Type: Authentication
- Authentication Portal: External: Enter your captive portal URL (e.g.: https://wifi-staging.socialidnow.com/portals/<portal name>/auth)
- User Groups: CoffeeBean-user-group
- Broadcast SSID: Enabled
- Block Intra-SSID Traffic: Enabled
- Redirect after Captive Portal: Enter your captive portal URL (e.g.: https://wifi-staging.socialidnow.com/portals/<portal name>)
Policy & Objects
Addresses (Walled Garden)
Go to Policy & Objects > Addresses to setup the Walled Garden. For this settings it is recommended to use DNS. If the controller does not accept the recommended way (DNS), the user can configure using IPs. For each input the following options:
- Name: Input any name to control what does each IP or DNS means (e.g.: Facebook 1, Facebook 2)
- Type: FQDN (recommended) or IP/Netmask
- Subnet / IP range or FQDN: IPs or DNS listed in this page documentation, if FQDN option available. Important: for FQDN entries, it’s necessary to input the complete hostnames (subdomain + domain).
- Show in Address List: checked
- Static Route Configuration: unchecked
Address Group
Go to Addresses and click on Create New > Address Group and configure the following options:
- Category: IPv4 Group
- Group Name: CoffeeBean-walled-garden
- Members: [click on “+” button and select all domains previously added]
IPv4 Policy
DNS Policy
Go to IPv4 Policy and click on Create New and configure the following options:
- Name: DNS
- Incoming Interface: CoffeeBean-guest-ssid
- Outgoing Interface: <your WAN connection>
- Source: all
- Destination Address: all
- Schedule: always
- Service: DNS
- Action: ACCEPT
- NAT: enabled
- Enable this policy: Active
Get the policy ID on the policies list and run the CLI command bellow:
config firewall policy edit <policy_id> set captive-portal-exempt enable end
Policy for Unauthenticated Users
Go to IPv4 Policy and click on Create New and configure the following options:
- Name: CoffeeBean-unauth-policy
- Incoming Interface: CoffeeBean-guest-ssid
- Outgoing Interface: <your WAN connection>
- Source: all
- Destination Address: CoffeeBean-walled-garden
- Schedule: always
- Service: ALL
- Action: ACCEPT
- NAT: enabled
- Enable this policy: Active
Get the policy ID on the policies list and run the CLI command bellow:
config firewall policy edit <policy_id> set captive-portal-exempt enable end
Policy for Authenticated Users
Go to Policy & Objects > Addresses, configure a new input for the subnet configured on the SSID:
- Name: CoffeeBean-ssid-address
- Type: IP/Netmask
- Subnet / IP Range: (e.g.: 192.168.30.0/255.255.255.0)
- Interface: any
Go to IPv4 Policy click on Create New and configure the following options:
- Name: CoffeeBean-auth-policy
- Incoming Interface: CoffeeBean-guest-ssid
- Outgoing Interface: <your WAN connection>
- Source: select CoffeeBean-user-group and CoffeeBean-ssid-address
- Destination Address: all
- Schedule: always
- Service: ALL
- Action: ACCEPT
- NAT: enabled
- Enable this policy: Active