Fortinet black logo

Cookbook

Configuring Captive Portal and security policies

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:791475
Download PDF

Configuring Captive Portal and security policies

  1. On the FortiGate, go to Network > Interfaces and edit the internal interface.

    Under Admission Control, set Security Mode to Captive Portal.

    Set Authentication Portal to External, and enter the SAML authentication portal URL.

    Set User Access to Restricted to Groups, and set User Groups to any local group. As the FSSO group is not available, you cannot use this local group for access.

  2. Go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.

  3. Create an FQDN object of your Centrify tenant portal:
    • <your-tenant-id>.my.centrify.com

    As this is an FQDN, make sure to set Type to FQDN.

  4. Go to Policy & Objects > IPv4 Policy and create the policies in these examples:
    • A policy for DNS.
    • A policy for access from the FortiAuthenticator.
    • A policy for Centrify bypass.
    • A policy for FSSO, including the SAML user group.

  5. When finished, right-click each policy except the FSSO policy, select Edit in CLI, and enter the following commands for each policy except the FSSO policy:

    set captive-portal-exempt enable

    next

    end

    This command exempts users of these policies from the captive portal interface.

Configuring Captive Portal and security policies

  1. On the FortiGate, go to Network > Interfaces and edit the internal interface.

    Under Admission Control, set Security Mode to Captive Portal.

    Set Authentication Portal to External, and enter the SAML authentication portal URL.

    Set User Access to Restricted to Groups, and set User Groups to any local group. As the FSSO group is not available, you cannot use this local group for access.

  2. Go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.

  3. Create an FQDN object of your Centrify tenant portal:
    • <your-tenant-id>.my.centrify.com

    As this is an FQDN, make sure to set Type to FQDN.

  4. Go to Policy & Objects > IPv4 Policy and create the policies in these examples:
    • A policy for DNS.
    • A policy for access from the FortiAuthenticator.
    • A policy for Centrify bypass.
    • A policy for FSSO, including the SAML user group.

  5. When finished, right-click each policy except the FSSO policy, select Edit in CLI, and enter the following commands for each policy except the FSSO policy:

    set captive-portal-exempt enable

    next

    end

    This command exempts users of these policies from the captive portal interface.