Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiWiFi and FortiAP Configuration Guide

Download PDF
Copy Doc ID 89ea0dba-bc2e-11ec-9fd1-fa163e15d75b:292926
Copy Link

Captive Portal Security

Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client's first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

The captive portal can be hosted on the FortiGate unit, or on an external authentication server.

This section includes the following topics:

Captive portal types

The WiFi captive portal types are available depending on your SSID traffic mode:

Name

Description

Traffic Mode

Available in the GUI and CLI

Authentication Until the user enters valid credentials, no communication beyond the AP is permitted.

Tunnel

Bridge

Disclaimer + Authentication

Immediately after successful authentication, the portal presents the disclaimer page—an acceptable use policy or other legal statement—to which the user must agree before proceeding.

Tunnel

Disclaimer Only The portal presents the disclaimer page—an acceptable use policy or other legal statement—to which the user must agree before proceeding. The authentication page is not presented.

Tunnel

Email Collection

The portal presents a page requesting the user’s email address, for the purpose of contacting the person in future. This is often used by businesses who provide free WiFi access to their customers. The authentication page is not presented.

To enable Email Collection, go to System > Feature Visibility, and enable Email Collection, then select Email Collection for Portal Type.

Tunnel

Available in CLI only

cmcc

Set the portal type to CMCC.

Bridge

cmcc-macauth

Set the portal type to CMCC and MAC authentication.

Bridge

auth-mac

When clients are authenticated and their MAC addresses are known, they are redirected to the external captive portal.

Tunnel

external-auth

Clients are directed to an external captive portal for authentication.

Bridge

external-macauth

Clients are directed to an external portal for MAC authentication.

Bridge

Configuring a FortiGate captive portal

The built-in FortiGate captive portal is simpler than an external portal. To configure a captive portal, you need to create an SSID, apply the SSID to the FortiAP, and create a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To configure a WiFi Captive Portal - GUI
  1. Create a local user:
    1. Go to User & Authentication > User Definition, then click Create New.
    2. In the Users/Groups Creation Wizard, select Local User, then click Next.
    3. Enter the desired values in the Username and Password fields, then click Next.
    4. On the Contact Info tab, fill in any information as desired, then click Next. You do not need to configure any contact information for the user.
    5. On the Extra Info tab, set the User Account Status to Enabled.
    6. If the desired user group already exists, enable User Group, then select the desired user group.
    7. Click Submit.
  2. Create a user group:
    1. Go to User & Authentication > User Definition, then click Create New.
    2. Enter the desired group name.
    3. For Type, select Firewall.
    4. For Members, click the + button. In the dropdown list, select the local user you created in step 1 and click OK.
    5. Click OK.
  3. Create a captive portal SSID:
    1. Go to WiFi and Switch Controller > SSIDs, click Create New and select SSID.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name.
    5. For Security mode, select Captive Portal.
    6. Configure the following:

      Portal type

      Configure a captive portal type:

      • Authentication
      • Disclaimer + Authentication
      • Disclaimer Only
      • Email Collection

        To enable Email Collection, go to System > Feature Visibility, and enable Email Collection, then select Email Collection for Portal Type.

      For information about each portal type, see Captive portal types.

      Authentication portal

      Configure the location of the portal:

      • Local - the portal is hosted on the FortiGate unit.
      • External - enter FQDN or IP address of an external portal.

      User groups

      Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

      Exempt sources

      Select exempt lists whose members will not be subject to captive portal authentication.

      Exempt destinations/services

      Select destinations and services lists whose members will not be subject to captive portal authentication.

      Redirect after Captive Portal

      Select whether to have authenticated users navigate to their originally requested URL or be redirected to a specific URL.

    7. Click OK.
  4. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-221E and a "FAP221E-default" profile that is applied to the FortiAP-221E. Do one of the following:
    1. Select the SSID by editing the FortiAP:
      1. Go to WiFi and Switch Controller > Managed FortiAPs. Select the FortiAP-221E and click Edit.
      2. Ensure that Managed AP Status is Connected.
      3. Under Wireless Settings, ensure that the configured FortiAP profile is the desired profile, in this case FAP221E-default. Click Edit entry.
      4. To broadcast the SSID from the 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the captive portal SSID you created.
      5. To broadcast the SSID from the 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the captive portal SSID you created.
      6. Click OK.
    2. Select the SSID by editing the FortiAP profile:
      1. Go to WiFi and Switch Controller > FortiAP Profiles. Select the FAP221E-default profile, then click Edit.
      2. To broadcast the SSID from the 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the captive portal SSID you created.
      3. To broadcast the SSID from the 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the captive portal SSID you created.
      4. Click OK.
  5. Create the SSID-to-Internet firewall policy:
    1. Go to Policy & Objects > Firewall Policy, then click Create New.
    2. Enter the desired policy name.
    3. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
    4. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
    5. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
    6. Click OK.
To deploy captive portal SSID to FortiAP units - CLI
  1. Create a local user:

    config user local

    edit "local"

    set type password

    set passwd ***

    next

    end

  2. Create a user group:

    config user group

    edit "group-local"

    set member "local"

    next

    end

  3. Create a captive portal SSID. You can assign the following portal-type:

    config wireless-controller vap
      edit "wifi-vap"
        set ssid "Fortinet-Captive"
        set security captive-portal
        set portal-type {auth | auth+disclaimer | disclaimer | email-collect}
        set selected-usergroups "group-local"
      next
    end
  4. Configure an IP address and enable DHCP:

    config system interface

    edit "wifi-vap"

    set ip 10.10.80.1 255.255.255.0

    next

    end

    config system dhcp server

    edit 1

    set dns-service default

    set default-gateway 10.10.80.1

    set netmask 255.255.255.0

    set interface "wifi-vap"

    config ip-range

    edit 1

    set start-ip 10.10.80.2

    set end-ip 10.10.80.254

    next

    end

    set timezone-option default

    next

    end

  5. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-221E and a "FAP221E-default" profile that is applied to the FortiAP-221E:

    config wireless-controller wtp

    edit "FP221E3X14000640"

    set admin enable

    set wtp-profile "FAP221E-default"

    next

    end

    config wireless-controller wtp-profile

    edit "FAP221E-default"

    config radio-1

    set vap-all manual

    set vaps "wifi-vap"

    end

    config radio-2

    set vap-all manual

    set vaps "wifi-vap"

    end

    next

    end

  6. Create the SSID-to-Internet firewall policy:

    config firewall policy

    edit 1

    set name "WiFi to Internet"

    set srcintf "wifi-vap"

    set dstintf "wan1"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set fsso disable

    set nat enable

    next

    end

Configuring an external captive portal

An external captive portal is a web page on a web server as opposed to the built-in captive portal on FortiGate. The essential part of the web portal page is a script that gathers the user's logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a "walled garden".

On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
magic=session_id&username=<username>&password=<password>.
(The magic value was provided in the initial FortiGate request to the web server.)

To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

config user setting

set auth-secure-http enable

end

To configure an external WiFi Captive Portal in tunnel mode - GUI
  1. Go to WiFi and Switch Controller > SSIDs.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. Set the Traffic mode to Tunnel.
  3. In Security Mode, select Captive Portal.
  4. Select the Portal type you want.

  5. In Authentication portal, select External and enter the FQDN or IP address of the external portal.

    Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

  6. Configure the other settings as needed.
  7. When you are finished, select OK.
To configure an external WiFi Captive Portal in tunnel mode- CLI
config wireless-controller vap
  edit "wifi-vap"
    set ssid "Fortinet-Captive"
    set security captive-portal
    set external-web "example.com"
    set selected-usergroups "Guest-group"
    set schedule "always"
  next
end
To configure an auth-mac portal in tunnel mode- CLI

To support a MAC authentication portal (such as Cisco ISE authentication) in tunnel mode, you must set portal-type to auth-mac.

config wireless-controller vap
  edit wifi-cap
    set ssid "fortinet-guest"
    set security captive-portal
    set portal-type auth-mac
    set radius-mac-auth enable
    set radius-mac-auth-server "CISCO_ISE"
    set radius-mac-auth-usergroups "registered"
    set external-web "https://<ISE_Portal>:8443/portal/g?p=123456789"
  next
end
To configure an external WiFi Captive Portal in local bridge mode - CLI
config wireless-controller vap
  edit "cap"
    set ssid "fortinet-guest"
    set security captive-portal
    set external-web "example.com/portal"
    set radius-server "peap"
    set local-bridging enable
    set portal-type external-auth
  next
end
To configure an external-macauth portal in bridge mode - CLI

To support en external MAC authentication portal (such as Cisco ISE authentication) in bridge mode, you must set portal-type to external-macauth.

config wireless-controller vap
  edit wifi-cap
    set ssid "fortinet-guest"
    set security captive-portal
    set external-web "https://<ISE_Portal>:8443/portal/g?p=jN9z47goOJg75HpaXxV8WZPQgd"
    set radius-mac-auth enable
    set radius-mac-auth-server "ISE"
    set radius-mac-auth-usergroups "AuthorizedGuest"
    set local-bridging enable
    set portal-type external-macauth
    set schedule "always"
  next
end

Configuring MAC Bypass for captive portal

Captive portal security supports MAC-auth-bypass. If a client's MAC can be authenticated from local-user or a RADIUS server, then the client can bypass firewall authentication directly.

To configure MAC bypass for the captive portal SSID - CLI
config wireless-controller vap
  edit "cap"
    set ssid "fortinet-guest"
    set security captive-portal
    set mac-auth-bypass enable
    set selected-usergroups "group-radius"
  next
end

Captive Portal Security

Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client's first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

The captive portal can be hosted on the FortiGate unit, or on an external authentication server.

This section includes the following topics:

Captive portal types

The WiFi captive portal types are available depending on your SSID traffic mode:

Name

Description

Traffic Mode

Available in the GUI and CLI

Authentication Until the user enters valid credentials, no communication beyond the AP is permitted.

Tunnel

Bridge

Disclaimer + Authentication

Immediately after successful authentication, the portal presents the disclaimer page—an acceptable use policy or other legal statement—to which the user must agree before proceeding.

Tunnel

Disclaimer Only The portal presents the disclaimer page—an acceptable use policy or other legal statement—to which the user must agree before proceeding. The authentication page is not presented.

Tunnel

Email Collection

The portal presents a page requesting the user’s email address, for the purpose of contacting the person in future. This is often used by businesses who provide free WiFi access to their customers. The authentication page is not presented.

To enable Email Collection, go to System > Feature Visibility, and enable Email Collection, then select Email Collection for Portal Type.

Tunnel

Available in CLI only

cmcc

Set the portal type to CMCC.

Bridge

cmcc-macauth

Set the portal type to CMCC and MAC authentication.

Bridge

auth-mac

When clients are authenticated and their MAC addresses are known, they are redirected to the external captive portal.

Tunnel

external-auth

Clients are directed to an external captive portal for authentication.

Bridge

external-macauth

Clients are directed to an external portal for MAC authentication.

Bridge

Configuring a FortiGate captive portal

The built-in FortiGate captive portal is simpler than an external portal. To configure a captive portal, you need to create an SSID, apply the SSID to the FortiAP, and create a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To configure a WiFi Captive Portal - GUI
  1. Create a local user:
    1. Go to User & Authentication > User Definition, then click Create New.
    2. In the Users/Groups Creation Wizard, select Local User, then click Next.
    3. Enter the desired values in the Username and Password fields, then click Next.
    4. On the Contact Info tab, fill in any information as desired, then click Next. You do not need to configure any contact information for the user.
    5. On the Extra Info tab, set the User Account Status to Enabled.
    6. If the desired user group already exists, enable User Group, then select the desired user group.
    7. Click Submit.
  2. Create a user group:
    1. Go to User & Authentication > User Definition, then click Create New.
    2. Enter the desired group name.
    3. For Type, select Firewall.
    4. For Members, click the + button. In the dropdown list, select the local user you created in step 1 and click OK.
    5. Click OK.
  3. Create a captive portal SSID:
    1. Go to WiFi and Switch Controller > SSIDs, click Create New and select SSID.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name.
    5. For Security mode, select Captive Portal.
    6. Configure the following:

      Portal type

      Configure a captive portal type:

      • Authentication
      • Disclaimer + Authentication
      • Disclaimer Only
      • Email Collection

        To enable Email Collection, go to System > Feature Visibility, and enable Email Collection, then select Email Collection for Portal Type.

      For information about each portal type, see Captive portal types.

      Authentication portal

      Configure the location of the portal:

      • Local - the portal is hosted on the FortiGate unit.
      • External - enter FQDN or IP address of an external portal.

      User groups

      Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

      Exempt sources

      Select exempt lists whose members will not be subject to captive portal authentication.

      Exempt destinations/services

      Select destinations and services lists whose members will not be subject to captive portal authentication.

      Redirect after Captive Portal

      Select whether to have authenticated users navigate to their originally requested URL or be redirected to a specific URL.

    7. Click OK.
  4. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-221E and a "FAP221E-default" profile that is applied to the FortiAP-221E. Do one of the following:
    1. Select the SSID by editing the FortiAP:
      1. Go to WiFi and Switch Controller > Managed FortiAPs. Select the FortiAP-221E and click Edit.
      2. Ensure that Managed AP Status is Connected.
      3. Under Wireless Settings, ensure that the configured FortiAP profile is the desired profile, in this case FAP221E-default. Click Edit entry.
      4. To broadcast the SSID from the 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the captive portal SSID you created.
      5. To broadcast the SSID from the 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the captive portal SSID you created.
      6. Click OK.
    2. Select the SSID by editing the FortiAP profile:
      1. Go to WiFi and Switch Controller > FortiAP Profiles. Select the FAP221E-default profile, then click Edit.
      2. To broadcast the SSID from the 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the captive portal SSID you created.
      3. To broadcast the SSID from the 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the captive portal SSID you created.
      4. Click OK.
  5. Create the SSID-to-Internet firewall policy:
    1. Go to Policy & Objects > Firewall Policy, then click Create New.
    2. Enter the desired policy name.
    3. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
    4. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
    5. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
    6. Click OK.
To deploy captive portal SSID to FortiAP units - CLI
  1. Create a local user:

    config user local

    edit "local"

    set type password

    set passwd ***

    next

    end

  2. Create a user group:

    config user group

    edit "group-local"

    set member "local"

    next

    end

  3. Create a captive portal SSID. You can assign the following portal-type:

    config wireless-controller vap
      edit "wifi-vap"
        set ssid "Fortinet-Captive"
        set security captive-portal
        set portal-type {auth | auth+disclaimer | disclaimer | email-collect}
        set selected-usergroups "group-local"
      next
    end
  4. Configure an IP address and enable DHCP:

    config system interface

    edit "wifi-vap"

    set ip 10.10.80.1 255.255.255.0

    next

    end

    config system dhcp server

    edit 1

    set dns-service default

    set default-gateway 10.10.80.1

    set netmask 255.255.255.0

    set interface "wifi-vap"

    config ip-range

    edit 1

    set start-ip 10.10.80.2

    set end-ip 10.10.80.254

    next

    end

    set timezone-option default

    next

    end

  5. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-221E and a "FAP221E-default" profile that is applied to the FortiAP-221E:

    config wireless-controller wtp

    edit "FP221E3X14000640"

    set admin enable

    set wtp-profile "FAP221E-default"

    next

    end

    config wireless-controller wtp-profile

    edit "FAP221E-default"

    config radio-1

    set vap-all manual

    set vaps "wifi-vap"

    end

    config radio-2

    set vap-all manual

    set vaps "wifi-vap"

    end

    next

    end

  6. Create the SSID-to-Internet firewall policy:

    config firewall policy

    edit 1

    set name "WiFi to Internet"

    set srcintf "wifi-vap"

    set dstintf "wan1"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set fsso disable

    set nat enable

    next

    end

Configuring an external captive portal

An external captive portal is a web page on a web server as opposed to the built-in captive portal on FortiGate. The essential part of the web portal page is a script that gathers the user's logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a "walled garden".

On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
magic=session_id&username=<username>&password=<password>.
(The magic value was provided in the initial FortiGate request to the web server.)

To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

config user setting

set auth-secure-http enable

end

To configure an external WiFi Captive Portal in tunnel mode - GUI
  1. Go to WiFi and Switch Controller > SSIDs.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. Set the Traffic mode to Tunnel.
  3. In Security Mode, select Captive Portal.
  4. Select the Portal type you want.

  5. In Authentication portal, select External and enter the FQDN or IP address of the external portal.

    Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

  6. Configure the other settings as needed.
  7. When you are finished, select OK.
To configure an external WiFi Captive Portal in tunnel mode- CLI
config wireless-controller vap
  edit "wifi-vap"
    set ssid "Fortinet-Captive"
    set security captive-portal
    set external-web "example.com"
    set selected-usergroups "Guest-group"
    set schedule "always"
  next
end
To configure an auth-mac portal in tunnel mode- CLI

To support a MAC authentication portal (such as Cisco ISE authentication) in tunnel mode, you must set portal-type to auth-mac.

config wireless-controller vap
  edit wifi-cap
    set ssid "fortinet-guest"
    set security captive-portal
    set portal-type auth-mac
    set radius-mac-auth enable
    set radius-mac-auth-server "CISCO_ISE"
    set radius-mac-auth-usergroups "registered"
    set external-web "https://<ISE_Portal>:8443/portal/g?p=123456789"
  next
end
To configure an external WiFi Captive Portal in local bridge mode - CLI
config wireless-controller vap
  edit "cap"
    set ssid "fortinet-guest"
    set security captive-portal
    set external-web "example.com/portal"
    set radius-server "peap"
    set local-bridging enable
    set portal-type external-auth
  next
end
To configure an external-macauth portal in bridge mode - CLI

To support en external MAC authentication portal (such as Cisco ISE authentication) in bridge mode, you must set portal-type to external-macauth.

config wireless-controller vap
  edit wifi-cap
    set ssid "fortinet-guest"
    set security captive-portal
    set external-web "https://<ISE_Portal>:8443/portal/g?p=jN9z47goOJg75HpaXxV8WZPQgd"
    set radius-mac-auth enable
    set radius-mac-auth-server "ISE"
    set radius-mac-auth-usergroups "AuthorizedGuest"
    set local-bridging enable
    set portal-type external-macauth
    set schedule "always"
  next
end

Configuring MAC Bypass for captive portal

Captive portal security supports MAC-auth-bypass. If a client's MAC can be authenticated from local-user or a RADIUS server, then the client can bypass firewall authentication directly.

To configure MAC bypass for the captive portal SSID - CLI
config wireless-controller vap
  edit "cap"
    set ssid "fortinet-guest"
    set security captive-portal
    set mac-auth-bypass enable
    set selected-usergroups "group-radius"
  next
end