Fortinet black logo

Cookbook

Home FortiAuthenticator 5.5.0 Cookbook

Configuring Captive Portal and security policies

5.5.0
6.5.0
6.4.0
6.3.0
6.2.0
6.1.0
6.0.0
5.5.0
Copy Link
Copy Doc ID 53d09085-7746-11e9-81a4-00505692583a:452213
Download PDF

Configuring Captive Portal and security policies

  1. On the FortiGate, go to Network > Interfaces and edit the internal interface.

    2. Under Admission Control, set Security Mode to Captive Portal.

    Set Authentication Portal to External, and enter the SAML authentication portal URL.

    Set User Access to Restricted to Groups, and set User Groups to any local group.

  2. Go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.

  3. Then create the following FQDN objects:
  • www.googleapis.com
  • accounts.google.com
  • ssl-gstatic.com
  • fonts.gstatic.com
  • www.gstatic.com

Then add the following Google subnets:

  • 172.217.9.0/24
  • 216.58.192.0/19

Then create ad address group, adding all created objects as members (in this example, g.suite-bypass).

  • Go to Policy & Objects > IPv4 Policy and create the following policies: one for DNS, for access from FortiAuthenticator, for G Suite bypass, and the last policy for FSSO, including the SAML user group.

  • When finished, right-click each policy (except the FSSO policy), select Edit in CLI, and enter the following command for each policy except the FSSO policy:

    • set captive-portal-exempt enable

    next

    end

    This command exempts users of these policies from the captive portal interface.

    Previous
    Next

    Configuring Captive Portal and security policies

    1. On the FortiGate, go to Network > Interfaces and edit the internal interface.

      2. Under Admission Control, set Security Mode to Captive Portal.

      Set Authentication Portal to External, and enter the SAML authentication portal URL.

      Set User Access to Restricted to Groups, and set User Groups to any local group.

    2. Go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.

    3. Then create the following FQDN objects:
    • www.googleapis.com
    • accounts.google.com
    • ssl-gstatic.com
    • fonts.gstatic.com
    • www.gstatic.com

    Then add the following Google subnets:

    • 172.217.9.0/24
    • 216.58.192.0/19

    Then create ad address group, adding all created objects as members (in this example, g.suite-bypass).

  • Go to Policy & Objects > IPv4 Policy and create the following policies: one for DNS, for access from FortiAuthenticator, for G Suite bypass, and the last policy for FSSO, including the SAML user group.

  • When finished, right-click each policy (except the FSSO policy), select Edit in CLI, and enter the following command for each policy except the FSSO policy:

    • set captive-portal-exempt enable

    next

    end

    This command exempts users of these policies from the captive portal interface.

    Previous
    Next