Fortinet black logo

New Features

Captive portal authentication in service assurance management (SAM) mode 7.0.1

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:622425
Download PDF

Captive portal authentication in service assurance management (SAM) mode 7.0.1

When configuring a radio in service assurance management (SAM) mode, a client can be configured to authenticate with the captive portal. The captive portal match, success, and failure strings must be specified to automatically detect the authentication success or failure.

config wireless-controller wtp-profile
    edit <name>
        config radio-1
            set sam-cwp-username <string>
            set sam-cwp-password <string>
            set sam-cwp-test-url <string>
            set sam-cwp-match-string <string>
            set sam-cwp-success-string <string>
            set sam-cwp-failure-string <string>
        end
    next
end

sam-cwp-username <string>

Enter the username for captive portal authentication.

sam-cwp-password <string>

Enter the password for captive portal authentication.

sam-cwp-test-url <string>

Enter the website the client is trying to access.

sam-cwp-match-string <string>

Enter the identification string from the captive portal login form.

sam-cwp-success-string <string>

Enter the success identification text to appear on the page after a successful login.

sam-cwp-failure-string <string>

Enter the failure identification text on the page after an incorrect login.

Note

Currently, FortiAP only supports bridge mode SSIDs configured with external portal authentication. Other captive portal authentication combinations are not supported.

Example

In this example, a FortiGate manages two FortiAPs (FAP_A and FAP_B). FAP_A serves the SSID, TEST-SAM, with captive portal authentication. FAP_B connects to the SSID and authenticates to the captive portal with the specified credentials.

To configure captive portal authentication in SAM mode:
  1. Configure FAP_A to have an SSID with captive portal authentication so it can perform a SAM test.
    1. Configure the RADIUS server:
      config user radius
          edit "172.18.56.161"
              set server "172.18.56.161"
              set secret ************ 
          next
      end
    2. Configure the VAP:
      config wireless-controller vap
          edit "test-sam"
              set ssid "TEST-SAM"
              set security captive-portal
              set external-web "http://172.18.56.163/portal/index.php"
              set radius-server "172.18.56.161"
              set local-bridging enable
              set portal-type external-auth
              set schedule "always"
          next
      end
    3. Configure the FortiAP profile:
      config wireless-controller wtp
          edit "FP423E3X16000020"
              set admin enable
              set wtp-profile "FAP423E-default"
              config radio-1
                  set override-vaps enable
                  set vap-all manual
                  set vaps "test-sam"
              end
              config radio-2
                  set override-vaps enable
                  set vap-all manual
              end
          next
      end
  2. Configure the SAM and captive portal settings on FAP_B.
    1. Configure the FortiAP profile:
      config wireless-controller wtp-profile
          edit "FAP231E-default"
              config platform
                  set type 231E
                  set ddscan enable
              end
              set handoff-sta-thresh 55
              set allowaccess https ssh snmp
              config radio-1
                  set mode sam
                  set sam-ssid "TEST-SAM"
                  set sam-captive-portal enable
                  set sam-cwp-username "tester"
                  set sam-cwp-password ENC
                  set sam-cwp-test-url "https://www.fortinet.com"
                  set sam-cwp-match-string "fgtauth"
                  set sam-cwp-success-string "Fortinet"
                  set sam-cwp-failure-string "failed"
                  set sam-password ENC
                  set sam-test ping
                  set sam-server-type ip
                  set sam-server-ip 8.8.8.8
                  set sam-report-intv 60
              end
              config radio-2
                  unset band
              end
              config radio-3
                  set mode monitor
              end
          next
      end
    2. Configure the managed FortiAP settings:
      config wireless-controller wtp
          edit "FP231ETF20000000"
              set admin enable
              set wtp-profile "FAP231E-default"
              config radio-2
              end
          next
      end
  3. After a few minutes, check the FAP_B configuration in FortiAP:
    FortiAP-231E # rcfg
    Radio 0: AP
    ...
       sam ssid           : TEST-SAM
       sam bssid          : 00:00:00:00:00:00
       sam security type  : Open
       sam captive portal : enabled
       sam cwp test url   : https://www.fortinet.com
       sam cwp match string    : fgtauth
       sam cwp success string  : Fortinet
       sam cwp failure string  : failed
       sam test           : Ping
       sam server         : 8.8.8.8
       sam report interval: 60
       sam iperf port     : 5001
       sam iperf protocol : UDP
    ...
Sample FortiOS WiFi event log:
1: date=2021-07-13 time=22:04:20 eventtime=1626239060874592177 tz="-0700" logid="0104043602" type="event" subtype="wireless" level="warning" vd="root" logdesc="Wireless station sign on success" sn="FP423E3X16000000" ap="FP423E3X16000000" vap="test-sam" ssid="TEST-SAM" radioid=1 user="tester" group="N/A" stamac="04:d5:90:bf:4b:4f" srcip=10.1.99.165 channel=11 radioband="802.11ac-2G" signal=-19 snr=76 security="Captive Portal" encryption="N/A" action="user-sign-on-success" reason="Reserved 0" mpsk="N/A" msg="Client 04:d5:90:bf:4b:4f user login success."
2: date=2021-07-13 time=22:04:33 eventtime=1626239073413031350 tz="-0700" logid="0104043711" type="event" subtype="wireless" level="notice" vd="root" logdesc="SAM ping test result" sn="FP231ETF20000000" ap="FP231ETF20000000" vap="test-sam" ssid="TEST-SAM" stamac="04:d5:90:bf:4b:4f" radioid=1 channel=11 security="Captive Portal" encryption="N/A" action="sam-ping-result" msg="Connected to AP FP423E3X16000000, 0.0% packet loss" remotewtptime="3566.658211"

Captive portal authentication in service assurance management (SAM) mode 7.0.1

When configuring a radio in service assurance management (SAM) mode, a client can be configured to authenticate with the captive portal. The captive portal match, success, and failure strings must be specified to automatically detect the authentication success or failure.

config wireless-controller wtp-profile
    edit <name>
        config radio-1
            set sam-cwp-username <string>
            set sam-cwp-password <string>
            set sam-cwp-test-url <string>
            set sam-cwp-match-string <string>
            set sam-cwp-success-string <string>
            set sam-cwp-failure-string <string>
        end
    next
end

sam-cwp-username <string>

Enter the username for captive portal authentication.

sam-cwp-password <string>

Enter the password for captive portal authentication.

sam-cwp-test-url <string>

Enter the website the client is trying to access.

sam-cwp-match-string <string>

Enter the identification string from the captive portal login form.

sam-cwp-success-string <string>

Enter the success identification text to appear on the page after a successful login.

sam-cwp-failure-string <string>

Enter the failure identification text on the page after an incorrect login.

Note

Currently, FortiAP only supports bridge mode SSIDs configured with external portal authentication. Other captive portal authentication combinations are not supported.

Example

In this example, a FortiGate manages two FortiAPs (FAP_A and FAP_B). FAP_A serves the SSID, TEST-SAM, with captive portal authentication. FAP_B connects to the SSID and authenticates to the captive portal with the specified credentials.

To configure captive portal authentication in SAM mode:
  1. Configure FAP_A to have an SSID with captive portal authentication so it can perform a SAM test.
    1. Configure the RADIUS server:
      config user radius
          edit "172.18.56.161"
              set server "172.18.56.161"
              set secret ************ 
          next
      end
    2. Configure the VAP:
      config wireless-controller vap
          edit "test-sam"
              set ssid "TEST-SAM"
              set security captive-portal
              set external-web "http://172.18.56.163/portal/index.php"
              set radius-server "172.18.56.161"
              set local-bridging enable
              set portal-type external-auth
              set schedule "always"
          next
      end
    3. Configure the FortiAP profile:
      config wireless-controller wtp
          edit "FP423E3X16000020"
              set admin enable
              set wtp-profile "FAP423E-default"
              config radio-1
                  set override-vaps enable
                  set vap-all manual
                  set vaps "test-sam"
              end
              config radio-2
                  set override-vaps enable
                  set vap-all manual
              end
          next
      end
  2. Configure the SAM and captive portal settings on FAP_B.
    1. Configure the FortiAP profile:
      config wireless-controller wtp-profile
          edit "FAP231E-default"
              config platform
                  set type 231E
                  set ddscan enable
              end
              set handoff-sta-thresh 55
              set allowaccess https ssh snmp
              config radio-1
                  set mode sam
                  set sam-ssid "TEST-SAM"
                  set sam-captive-portal enable
                  set sam-cwp-username "tester"
                  set sam-cwp-password ENC
                  set sam-cwp-test-url "https://www.fortinet.com"
                  set sam-cwp-match-string "fgtauth"
                  set sam-cwp-success-string "Fortinet"
                  set sam-cwp-failure-string "failed"
                  set sam-password ENC
                  set sam-test ping
                  set sam-server-type ip
                  set sam-server-ip 8.8.8.8
                  set sam-report-intv 60
              end
              config radio-2
                  unset band
              end
              config radio-3
                  set mode monitor
              end
          next
      end
    2. Configure the managed FortiAP settings:
      config wireless-controller wtp
          edit "FP231ETF20000000"
              set admin enable
              set wtp-profile "FAP231E-default"
              config radio-2
              end
          next
      end
  3. After a few minutes, check the FAP_B configuration in FortiAP:
    FortiAP-231E # rcfg
    Radio 0: AP
    ...
       sam ssid           : TEST-SAM
       sam bssid          : 00:00:00:00:00:00
       sam security type  : Open
       sam captive portal : enabled
       sam cwp test url   : https://www.fortinet.com
       sam cwp match string    : fgtauth
       sam cwp success string  : Fortinet
       sam cwp failure string  : failed
       sam test           : Ping
       sam server         : 8.8.8.8
       sam report interval: 60
       sam iperf port     : 5001
       sam iperf protocol : UDP
    ...
Sample FortiOS WiFi event log:
1: date=2021-07-13 time=22:04:20 eventtime=1626239060874592177 tz="-0700" logid="0104043602" type="event" subtype="wireless" level="warning" vd="root" logdesc="Wireless station sign on success" sn="FP423E3X16000000" ap="FP423E3X16000000" vap="test-sam" ssid="TEST-SAM" radioid=1 user="tester" group="N/A" stamac="04:d5:90:bf:4b:4f" srcip=10.1.99.165 channel=11 radioband="802.11ac-2G" signal=-19 snr=76 security="Captive Portal" encryption="N/A" action="user-sign-on-success" reason="Reserved 0" mpsk="N/A" msg="Client 04:d5:90:bf:4b:4f user login success."
2: date=2021-07-13 time=22:04:33 eventtime=1626239073413031350 tz="-0700" logid="0104043711" type="event" subtype="wireless" level="notice" vd="root" logdesc="SAM ping test result" sn="FP231ETF20000000" ap="FP231ETF20000000" vap="test-sam" ssid="TEST-SAM" stamac="04:d5:90:bf:4b:4f" radioid=1 channel=11 security="Captive Portal" encryption="N/A" action="sam-ping-result" msg="Connected to AP FP423E3X16000000, 0.0% packet loss" remotewtptime="3566.658211"