Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiWiFi and FortiAP Configuration Guide

Captive portal authentication when bridged via software switch

When a tunnel mode SSID or a VLAN sub-interface of an SSID is bridged with other interfaces via a software switch, you must set the intra-switch-policy to explicit when the switch interface is created in order to enable captive portal authentication.

To configure captive portal authentication on an SSID or VLAN sub-interface:
  1. Configure the local user:
    config user local
        edit "user1"
            set passwd ********* 
        next
    end
  2. Configure the user group:
    config user group
        edit "wifi-group"
            set member "user1"
        next
    end
  3. Configure the VAP:
    config wireless-controller vap
        edit "test-captive"
            set ssid "test-captive"
            set security captive-portal
            set portal-type auth+disclaimer
            set selected-usergroups "wifi-group"
            set schedule "always"
        next
    end
  4. Create a software switch interface consisting of a tunnel VAP with captive portal security and a physical interface (port7):
    config system switch-interface
        edit "test-ssw"
            set vdom "vdom1"
            set member "port7" "test-captive"
            set intra-switch-policy explicit
        next
    end
  5. Create the firewall policy:
    config firewall policy
        edit 1
            set srcintf "test-captive" "port7"
            set dstintf "port7" "test-captive"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat disable
        next
    end
  6. Connect the external DHCP server to the physical interface.
  7. Connect a WiFi client to the tunnel VAP. The client will get an IP assignment from the DHCP server and pass the captive portal authentication.
  8. Verify the authenticated firewall users list:
    # diagnose firewall auth list 
    10.100.250.250, u1
        src_mac: fc:d8:d0:9a:8b:85
        type: fw, id: 0, duration: 29, idled: 12
        expire: 288, allow-idle: 300
        flag(100): wsso
        packets: in 229 out 162, bytes: in 192440 out 22887
        user_id: 16777218
        group_id: 2
        group_name: wifi
    ----- 1 listed, 0 filtered ------

Captive portal authentication when bridged via software switch

When a tunnel mode SSID or a VLAN sub-interface of an SSID is bridged with other interfaces via a software switch, you must set the intra-switch-policy to explicit when the switch interface is created in order to enable captive portal authentication.

To configure captive portal authentication on an SSID or VLAN sub-interface:
  1. Configure the local user:
    config user local
        edit "user1"
            set passwd ********* 
        next
    end
  2. Configure the user group:
    config user group
        edit "wifi-group"
            set member "user1"
        next
    end
  3. Configure the VAP:
    config wireless-controller vap
        edit "test-captive"
            set ssid "test-captive"
            set security captive-portal
            set portal-type auth+disclaimer
            set selected-usergroups "wifi-group"
            set schedule "always"
        next
    end
  4. Create a software switch interface consisting of a tunnel VAP with captive portal security and a physical interface (port7):
    config system switch-interface
        edit "test-ssw"
            set vdom "vdom1"
            set member "port7" "test-captive"
            set intra-switch-policy explicit
        next
    end
  5. Create the firewall policy:
    config firewall policy
        edit 1
            set srcintf "test-captive" "port7"
            set dstintf "port7" "test-captive"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat disable
        next
    end
  6. Connect the external DHCP server to the physical interface.
  7. Connect a WiFi client to the tunnel VAP. The client will get an IP assignment from the DHCP server and pass the captive portal authentication.
  8. Verify the authenticated firewall users list:
    # diagnose firewall auth list 
    10.100.250.250, u1
        src_mac: fc:d8:d0:9a:8b:85
        type: fw, id: 0, duration: 29, idled: 12
        expire: 288, allow-idle: 300
        flag(100): wsso
        packets: in 229 out 162, bytes: in 192440 out 22887
        user_id: 16777218
        group_id: 2
        group_name: wifi
    ----- 1 listed, 0 filtered ------