Fortinet black logo

New Features

Captive portal authentication when bridged via software switch

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:856882
Download PDF

Captive portal authentication when bridged via software switch

In a scenario where a tunnel mode SSID or a VLAN sub-interface of an SSID is bridged with other interfaces via a software switch, captive portal authentication on the SSID or VLAN sub-interface is now allowed. This requires the intra-switch-policy to be set to explicit when the switch interface is created. Users accessing the SSID will be redirected to the captive portal for authentication.

To configure captive portal authentication on an SSID or VLAN sub-interface:
  1. Configure the local user:
    config user local
        edit "user1"
            set passwd ********* 
        next
    end
  2. Configure the user group:
    config user group
        edit "wifi-group"
            set member "user1"
        next
    end
  3. Configure the VAP:
    config wireless-controller vap
        edit "test-captive"
            set ssid "test-captive"
            set security captive-portal
            set portal-type auth+disclaimer
            set selected-usergroups "wifi-group"
            set schedule "always"
        next
    end
  4. Create a software switch interface consisting of a tunnel VAP with captive portal security and a physical interface (port7):
    config system switch-interface
        edit "test-ssw"
            set vdom "vdom1"
            set member "port7" "test-captive"
            set intra-switch-policy explicit
        next
    end
  5. Create the firewall policy:
    config firewall policy
        edit 1
            set srcintf "test-captive" "port7"
            set dstintf "port7" "test-captive"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat disable
        next
    end
  6. Connect the external DHCP server to the physical interface.
  7. Connect a WiFi client to the tunnel VAP. The client will get an IP assignment from the DHCP server and pass the captive portal authentication.
  8. Verify the authenticated firewall users list:
    # diagnose firewall auth list 
    10.100.250.250, u1
        src_mac: fc:d8:d0:9a:8b:85
        type: fw, id: 0, duration: 29, idled: 12
        expire: 288, allow-idle: 300
        flag(100): wsso
        packets: in 229 out 162, bytes: in 192440 out 22887
        user_id: 16777218
        group_id: 2
        group_name: wifi
    ----- 1 listed, 0 filtered ------

Captive portal authentication when bridged via software switch

In a scenario where a tunnel mode SSID or a VLAN sub-interface of an SSID is bridged with other interfaces via a software switch, captive portal authentication on the SSID or VLAN sub-interface is now allowed. This requires the intra-switch-policy to be set to explicit when the switch interface is created. Users accessing the SSID will be redirected to the captive portal for authentication.

To configure captive portal authentication on an SSID or VLAN sub-interface:
  1. Configure the local user:
    config user local
        edit "user1"
            set passwd ********* 
        next
    end
  2. Configure the user group:
    config user group
        edit "wifi-group"
            set member "user1"
        next
    end
  3. Configure the VAP:
    config wireless-controller vap
        edit "test-captive"
            set ssid "test-captive"
            set security captive-portal
            set portal-type auth+disclaimer
            set selected-usergroups "wifi-group"
            set schedule "always"
        next
    end
  4. Create a software switch interface consisting of a tunnel VAP with captive portal security and a physical interface (port7):
    config system switch-interface
        edit "test-ssw"
            set vdom "vdom1"
            set member "port7" "test-captive"
            set intra-switch-policy explicit
        next
    end
  5. Create the firewall policy:
    config firewall policy
        edit 1
            set srcintf "test-captive" "port7"
            set dstintf "port7" "test-captive"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat disable
        next
    end
  6. Connect the external DHCP server to the physical interface.
  7. Connect a WiFi client to the tunnel VAP. The client will get an IP assignment from the DHCP server and pass the captive portal authentication.
  8. Verify the authenticated firewall users list:
    # diagnose firewall auth list 
    10.100.250.250, u1
        src_mac: fc:d8:d0:9a:8b:85
        type: fw, id: 0, duration: 29, idled: 12
        expire: 288, allow-idle: 300
        flag(100): wsso
        packets: in 229 out 162, bytes: in 192440 out 22887
        user_id: 16777218
        group_id: 2
        group_name: wifi
    ----- 1 listed, 0 filtered ------