Example: Captive portal WiFi access with FortiToken-200
In this scenario, you will enforce two-factor authentication for WiFi users who have FortiToken-200 devices through a captive portal. FortiToken-200 users who attempt to browse the internet will be redirected to the captive portal login page and asked to enter their username, password, and six-digit authentication code.
This scenario assumes that you already have a FortiAP unit connected and authorized with FortiGate, and that the SSID has been set up and configured to use captive portal.
This configuration is designed for a FortiToken-200 physical key generator. See step 2 for information about using FortiToken Mobile.
-
1. Add the FortiToken:
-
In FortiGate, go to User & Authentication > FortiTokens and click Create New.
-
Set Type to Hard Token, enter the FortiToken Serial Number, and click OK. The serial number, located on the back of the FortiToken device, is case sensitive. Note that the token can only be registered to one device.
-
-
2. Edit the user and assign the FortiToken:
-
Go to User & Authentication > User Definition and edit the user (
rgreen). -
Enable Two-factor Authentication, set AuthenticationType to FortiToken, and select the token in the Token field.
-
Enable User Group and select the captive portal user group (
employees). -
Click OK to save these changes.
If the user has FortiToken Mobile, the user's contact information must be included so that the FortiToken code can be sent to the user via email or SMS. -
-
3. Check your results:
-
When a user attempts to browse the internet, they are redirected to the captive portal login screen.
-
Members of the FortiToken group must enter their username and password and are redirected to a screen requiring them to enter their token code. They retrieve the code by pressing the button on their FortiToken device. Once the code is successfully entered, the user is redirected to the URL originally requested.
-
In FortiGate, go to Dashboard > Users & Devices to verify that the user is authenticated.
-