Fortinet black logo

FortiWiFi and FortiAP Cookbook

6.4.0

Deploying captive portal SSID to FortiAP units

Deploying captive portal SSID to FortiAP units

This topic provides simple configuration instructions for developing captive portal SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To deploy captive portal SSID to FortiAP units on the FortiWiFi and FortiAP GUI:
  1. Create a local user:
    1. Go to User & Device > User Definition, then click Create New.
    2. In the Users/Groups Creation Wizard, select Local User, then click Next.
    3. Enter the desired values in the Username and Password fields, then click Next.
    4. On the Contact Info tab, fill in any information as desired, then click Next. You do not need to configure any contact information for the user.
    5. On the Extra Info tab, set the User Account Status to Enabled.
    6. If the desired user group already exists, enable User Group, then select the desired user group.
    7. Click Submit.
  2. Create a user group:
    1. Go to User & Device > User Groups, then click Create New.
    2. Enter the desired group name.
    3. For Type, select Firewall.
    4. For Members, click the + button. In the dropdown list, select the local user created in step 1. Click OK.
    5. Click OK.
  3. Create a captive portal SSID:
    1. Go to WiFi & Switch Controller > SSID, select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Captive Portal, select Security.
    5. Configure the portal type as one of the following:
      1. For Portal Type, select Authentication. In the User Group dropdown list, select the user group created in step 2.
      2. For Portal Type, select Disclaimer + Authentication. In the User Group dropdown list, select the user group created in step 2.
      3. For Portal Type, select Disclaimer Only.
      4. To configure the portal type as email collection, go to System > Feature Visibility, and enable Email Collection, then select Email Collection for Portal Type.
    6. Click OK.
  4. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C. Do one of the following:
    1. Select the SSID by editing the FortiAP:
      1. Go to WiFi & Switch Controller > Managed FortiAPs. Select the FortiAP-320C and click Edit.
      2. Ensure that Managed AP Status is Connected.
      3. Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
      4. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
      5. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
      6. Click OK.
    2. Select the SSID by editing the FortiAP profile:
      1. Go to WiFi & Switch Controller > FortiAP Profile. Select the FAP320C-default profile, then click Edit.
      2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
      3. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
      4. Click OK.
  5. Create the SSID-to-Internet firewall policy:
    1. Go to Policy & Objects > IPv4 Policy, then click Create New.
    2. Enter the desired policy name.
    3. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
    4. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
    5. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
    6. Click OK.
To deploy captive portal SSID to FortiAP units using the FortiWiFi and FortiAP CLI:
  1. Create a local user:

    config user local

    edit "local"

    set type password

    set passwd 123456

    next

    end

  2. Create a user group:

    config user group

    edit "group-local"

    set member "local"

    next

    end

  3. Create a captive portal SSID. Do one of the following:
    1. Create a captive portal SSID with portal type Authentication:

      config wireless-controller vap

      edit "wifi-vap"

      set ssid "Fortinet-Captive"

      set security captive-portal

      set portal-type auth

      set selected-usergroups "group-local"

      next

      end

    2. Create a captive portal SSID with portal type Disclaimer + Authentication:

      config wireless-controller vap

      edit "wifi-vap"

      set ssid "Fortinet-Captive"

      set security captive-portal

      set portal-type auth+disclaimer

      set selected-usergroups "group-local"

      next

      end

    3. Create a captive portal SSID with portal type Disclaimer Only:

      config wireless-controller vap

      edit "wifi-vap"

      set ssid "Fortinet-Captive"

      set security captive-portal

      set portal-type disclaimer

      next

      end

    4. Create a captive portal SSID with portal type Email Collection:

      config wireless-controller vap

      edit "wifi-vap"

      set ssid "Fortinet-Captive"

      set security captive-portal

      set portal-type email-collect

      next

      end

    5. Configure an IP address and enable DHCP:

      config system interface

      edit "wifi-vap"

      set ip 10.10.80.1 255.255.255.0

      next

      end

      config system dhcp server

      edit 1

      set dns-service default

      set default-gateway 10.10.80.1

      set netmask 255.255.255.0

      set interface "wifi-vap"

      config ip-range

      edit 1

      set start-ip 10.10.80.2

      set end-ip 10.10.80.254

      next

      end

      set timezone-option default

      next

      end

  4. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:

    config wireless-controller wtp

    edit "FP320C3X14000640"

    set admin enable

    set wtp-profile "FAP320C-default"

    next

    end

    config wireless-controller wtp-profile

    edit "FAP320C-default"

    config radio-1

    set vap-all disable

    set vaps "wifi-vap"

    end

    config radio-2

    set vap-all disable

    set vaps "wifi-vap"

    end

    next

    end

  5. Create the SSID-to-Internet firewall policy:

    config firewall policy

    edit 1

    set name "WiFi to Internet"

    set srcintf "wifi-vap"

    set dstintf "wan1"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set fsso disable

    set nat enable

    next

    end

Deploying captive portal SSID to FortiAP units

Deploying captive portal SSID to FortiAP units

This topic provides simple configuration instructions for developing captive portal SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To deploy captive portal SSID to FortiAP units on the FortiWiFi and FortiAP GUI:
  1. Create a local user:
    1. Go to User & Device > User Definition, then click Create New.
    2. In the Users/Groups Creation Wizard, select Local User, then click Next.
    3. Enter the desired values in the Username and Password fields, then click Next.
    4. On the Contact Info tab, fill in any information as desired, then click Next. You do not need to configure any contact information for the user.
    5. On the Extra Info tab, set the User Account Status to Enabled.
    6. If the desired user group already exists, enable User Group, then select the desired user group.
    7. Click Submit.
  2. Create a user group:
    1. Go to User & Device > User Groups, then click Create New.
    2. Enter the desired group name.
    3. For Type, select Firewall.
    4. For Members, click the + button. In the dropdown list, select the local user created in step 1. Click OK.
    5. Click OK.
  3. Create a captive portal SSID:
    1. Go to WiFi & Switch Controller > SSID, select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Captive Portal, select Security.
    5. Configure the portal type as one of the following:
      1. For Portal Type, select Authentication. In the User Group dropdown list, select the user group created in step 2.
      2. For Portal Type, select Disclaimer + Authentication. In the User Group dropdown list, select the user group created in step 2.
      3. For Portal Type, select Disclaimer Only.
      4. To configure the portal type as email collection, go to System > Feature Visibility, and enable Email Collection, then select Email Collection for Portal Type.
    6. Click OK.
  4. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C. Do one of the following:
    1. Select the SSID by editing the FortiAP:
      1. Go to WiFi & Switch Controller > Managed FortiAPs. Select the FortiAP-320C and click Edit.
      2. Ensure that Managed AP Status is Connected.
      3. Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
      4. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
      5. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
      6. Click OK.
    2. Select the SSID by editing the FortiAP profile:
      1. Go to WiFi & Switch Controller > FortiAP Profile. Select the FAP320C-default profile, then click Edit.
      2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
      3. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
      4. Click OK.
  5. Create the SSID-to-Internet firewall policy:
    1. Go to Policy & Objects > IPv4 Policy, then click Create New.
    2. Enter the desired policy name.
    3. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
    4. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
    5. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
    6. Click OK.
To deploy captive portal SSID to FortiAP units using the FortiWiFi and FortiAP CLI:
  1. Create a local user:

    config user local

    edit "local"

    set type password

    set passwd 123456

    next

    end

  2. Create a user group:

    config user group

    edit "group-local"

    set member "local"

    next

    end

  3. Create a captive portal SSID. Do one of the following:
    1. Create a captive portal SSID with portal type Authentication:

      config wireless-controller vap

      edit "wifi-vap"

      set ssid "Fortinet-Captive"

      set security captive-portal

      set portal-type auth

      set selected-usergroups "group-local"

      next

      end

    2. Create a captive portal SSID with portal type Disclaimer + Authentication:

      config wireless-controller vap

      edit "wifi-vap"

      set ssid "Fortinet-Captive"

      set security captive-portal

      set portal-type auth+disclaimer

      set selected-usergroups "group-local"

      next

      end

    3. Create a captive portal SSID with portal type Disclaimer Only:

      config wireless-controller vap

      edit "wifi-vap"

      set ssid "Fortinet-Captive"

      set security captive-portal

      set portal-type disclaimer

      next

      end

    4. Create a captive portal SSID with portal type Email Collection:

      config wireless-controller vap

      edit "wifi-vap"

      set ssid "Fortinet-Captive"

      set security captive-portal

      set portal-type email-collect

      next

      end

    5. Configure an IP address and enable DHCP:

      config system interface

      edit "wifi-vap"

      set ip 10.10.80.1 255.255.255.0

      next

      end

      config system dhcp server

      edit 1

      set dns-service default

      set default-gateway 10.10.80.1

      set netmask 255.255.255.0

      set interface "wifi-vap"

      config ip-range

      edit 1

      set start-ip 10.10.80.2

      set end-ip 10.10.80.254

      next

      end

      set timezone-option default

      next

      end

  4. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:

    config wireless-controller wtp

    edit "FP320C3X14000640"

    set admin enable

    set wtp-profile "FAP320C-default"

    next

    end

    config wireless-controller wtp-profile

    edit "FAP320C-default"

    config radio-1

    set vap-all disable

    set vaps "wifi-vap"

    end

    config radio-2

    set vap-all disable

    set vaps "wifi-vap"

    end

    next

    end

  5. Create the SSID-to-Internet firewall policy:

    config firewall policy

    edit 1

    set name "WiFi to Internet"

    set srcintf "wifi-vap"

    set dstintf "wan1"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set fsso disable

    set nat enable

    next

    end