Captive portal authentication in service assurance management (SAM) mode 7.0.1
When configuring a radio in service assurance management (SAM) mode, a client can be configured to authenticate with the captive portal. The captive portal match, success, and failure strings must be specified to automatically detect the authentication success or failure.
config wireless-controller wtp-profile edit <name> config radio-1 set sam-cwp-username <string> set sam-cwp-password <string> set sam-cwp-test-url <string> set sam-cwp-match-string <string> set sam-cwp-success-string <string> set sam-cwp-failure-string <string> end next end
sam-cwp-username <string> |
Enter the username for captive portal authentication. |
sam-cwp-password <string> |
Enter the password for captive portal authentication. |
sam-cwp-test-url <string> |
Enter the website the client is trying to access. |
sam-cwp-match-string <string> |
Enter the identification string from the captive portal login form. |
sam-cwp-success-string <string> |
Enter the success identification text to appear on the page after a successful login. |
sam-cwp-failure-string <string> |
Enter the failure identification text on the page after an incorrect login. |
Currently, FortiAP only supports bridge mode SSIDs configured with external portal authentication. Other captive portal authentication combinations are not supported. |
Example
In this example, a FortiGate manages two FortiAPs (FAP_A and FAP_B). FAP_A serves the SSID, TEST-SAM, with captive portal authentication. FAP_B connects to the SSID and authenticates to the captive portal with the specified credentials.
To configure captive portal authentication in SAM mode:
- Configure FAP_A to have an SSID with captive portal authentication so it can perform a SAM test.
- Configure the RADIUS server:
config user radius edit "172.18.56.161" set server "172.18.56.161" set secret ************ next end
- Configure the VAP:
config wireless-controller vap edit "test-sam" set ssid "TEST-SAM" set security captive-portal set external-web "http://172.18.56.163/portal/index.php" set radius-server "172.18.56.161" set local-bridging enable set portal-type external-auth set schedule "always" next end
- Configure the FortiAP profile:
config wireless-controller wtp edit "FP423E3X16000020" set admin enable set wtp-profile "FAP423E-default" config radio-1 set override-vaps enable set vap-all manual set vaps "test-sam" end config radio-2 set override-vaps enable set vap-all manual end next end
- Configure the RADIUS server:
- Configure the SAM and captive portal settings on FAP_B.
- Configure the FortiAP profile:
config wireless-controller wtp-profile edit "FAP231E-default" config platform set type 231E set ddscan enable end set handoff-sta-thresh 55 set allowaccess https ssh snmp config radio-1 set mode sam set sam-ssid "TEST-SAM" set sam-captive-portal enable set sam-cwp-username "tester" set sam-cwp-password ENC set sam-cwp-test-url "https://www.fortinet.com" set sam-cwp-match-string "fgtauth" set sam-cwp-success-string "Fortinet" set sam-cwp-failure-string "failed" set sam-password ENC set sam-test ping set sam-server-type ip set sam-server-ip 8.8.8.8 set sam-report-intv 60 end config radio-2 unset band end config radio-3 set mode monitor end next end
- Configure the managed FortiAP settings:
config wireless-controller wtp edit "FP231ETF20000000" set admin enable set wtp-profile "FAP231E-default" config radio-2 end next end
- Configure the FortiAP profile:
- After a few minutes, check the FAP_B configuration in FortiAP:
FortiAP-231E # rcfg Radio 0: AP ... sam ssid : TEST-SAM sam bssid : 00:00:00:00:00:00 sam security type : Open sam captive portal : enabled sam cwp test url : https://www.fortinet.com sam cwp match string : fgtauth sam cwp success string : Fortinet sam cwp failure string : failed sam test : Ping sam server : 8.8.8.8 sam report interval: 60 sam iperf port : 5001 sam iperf protocol : UDP ...
Sample FortiOS WiFi event log:
1: date=2021-07-13 time=22:04:20 eventtime=1626239060874592177 tz="-0700" logid="0104043602" type="event" subtype="wireless" level="warning" vd="root" logdesc="Wireless station sign on success" sn="FP423E3X16000000" ap="FP423E3X16000000" vap="test-sam" ssid="TEST-SAM" radioid=1 user="tester" group="N/A" stamac="04:d5:90:bf:4b:4f" srcip=10.1.99.165 channel=11 radioband="802.11ac-2G" signal=-19 snr=76 security="Captive Portal" encryption="N/A" action="user-sign-on-success" reason="Reserved 0" mpsk="N/A" msg="Client 04:d5:90:bf:4b:4f user login success."
2: date=2021-07-13 time=22:04:33 eventtime=1626239073413031350 tz="-0700" logid="0104043711" type="event" subtype="wireless" level="notice" vd="root" logdesc="SAM ping test result" sn="FP231ETF20000000" ap="FP231ETF20000000" vap="test-sam" ssid="TEST-SAM" stamac="04:d5:90:bf:4b:4f" radioid=1 channel=11 security="Captive Portal" encryption="N/A" action="sam-ping-result" msg="Connected to AP FP423E3X16000000, 0.0% packet loss" remotewtptime="3566.658211"