Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Configuring Captive Portal and security policies

  1. On the FortiGate, go to Network > Interfaces and edit the internal interface.

    Under Admission Control, set Security Mode to Captive Portal.

    Set Authentication Portal to External, and enter the SAML authentication portal URL.

    Set User Access to Restricted to Groups, and set User Groups to any local group. As the FSSO group is not available, you cannot use this local group for access.

  2. Go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.

  3. Create the following FQDN objects:
    • eum-col.appdynamics.com
    • login.okta.com
    • ocsp.digicert.com
    • op1static.oktacdn.com

    As these are FQDNs, make sure to set Type to FQDN.

  4. Go to Policy & Objects > IPv4 Policy and create the policies in these examples:
    • A policy for DNS.
    • A policy for access from FortiAuthenticator.
    • A policy for Okta bypass.
    • A policy for FSSO, including the SAML user group.

  5. When finished, right-click each policy except the FSSO policy, select Edit in CLI, and enter the following commands for each policy except the FSSO policy:

    set captive-portal-exempt enable

    next

    end

    This command exempts users of these policies from the captive portal interface.

Configuring Captive Portal and security policies

  1. On the FortiGate, go to Network > Interfaces and edit the internal interface.

    Under Admission Control, set Security Mode to Captive Portal.

    Set Authentication Portal to External, and enter the SAML authentication portal URL.

    Set User Access to Restricted to Groups, and set User Groups to any local group. As the FSSO group is not available, you cannot use this local group for access.

  2. Go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.

  3. Create the following FQDN objects:
    • eum-col.appdynamics.com
    • login.okta.com
    • ocsp.digicert.com
    • op1static.oktacdn.com

    As these are FQDNs, make sure to set Type to FQDN.

  4. Go to Policy & Objects > IPv4 Policy and create the policies in these examples:
    • A policy for DNS.
    • A policy for access from FortiAuthenticator.
    • A policy for Okta bypass.
    • A policy for FSSO, including the SAML user group.

  5. When finished, right-click each policy except the FSSO policy, select Edit in CLI, and enter the following commands for each policy except the FSSO policy:

    set captive-portal-exempt enable

    next

    end

    This command exempts users of these policies from the captive portal interface.