Configuring Internal Captive Portal (ICP)

The following is the section of the running configuration for the FortiWLC controller that specifies the configuration for ICP. The relevant settings are in bold. For the purposes of our example configuration, VLAN 59 (172.16.59.0/24) is the production network and VLAN 46 (172.16.46.0/24) is the isolation network.

VLAN Definitions

vlan productionVlan tag 59 ip dhcp-server 0.0.0.0 ip address 172.16.59.10 255.255.255.0 ip default-gateway 172.16.59.1 ip dhcp-passthrough tag 59 owner controller vlan-version 0 interface FastEthernet controller 1 no ip dhcp-override exit vlan isolationVlan tag 46 ip dhcp-server 0.0.0.0 ip address 172.16.46.10 255.255.255.0 ip default-gateway 172.16.46.1 ip dhcp-passthrough tag 46 owner controller vlan-version 0 interface FastEthernet controller 1 no ip dhcp-override exit

Firewall rules:

For unauthenticated users:

qosrule 3000 netprotocol 0 qosprotocol none firewall-filter-id unauthUser firewall-filter-id-match on dstip 172.16.46.2 dstip-match on dstmask 255.255.255.0 dstport 0 srcip 0.0.0.0 srcmask 0.0.0.0 srcport action forward droppolicy tail priority 0 avgpacketrate 0 tokenbucketrate 0 dscp disabled qosrulelogging off qosrule-logging-frequency 60 packet-min-length 0 packet-max-length 0 no trafficcontrol exit qosrule 3010 netprotocol 0 qosprotocol none firewall-filter-id unauthUser firewall-filter-id-match on dstip 0.0.0.0 dstmask 0.0.0.0 dstport 0 srcip 172.16.46.2 srcip-match on srcmask 255.255.255.0 srcport 0 action forward droppolicy tail priority 0 avgpacketrate 0 tokenbucketrate 0 dscp disabled qosrulelogging off qosrule-logging-frequency 60 packet-min-length 0 packet-max-length 0 no trafficcontrol exit

For authenticated users:

There are no required firewall rules for this. Whatever the admin wants to use to restrict access for their registered users.

Security Profile:

security-profile IntCP security-version 0 key-rotation disabled allowed-l2-modes clear captive-portal webauth captive-portal-auth-method internal psk key "" firewall-capability configured passthrough-firewall-filter-id unauthUser firewall-filter-id authUser security-logging off owner controller static-wep key "" static-wep key-index 1 rekey period 0 group-rekey interval 0 radius-server primary "" radius-server secondary "" auth-supplicant-timeout 30 auth-server-timeout 30 auth-max-request 4 pae-max-reauth 4 pae-txperiod 30 no kddi no shared-authentication no rekey period no 8021x-network-initiation no fast-handoff no pmk-caching no reauth no macfiltering exit

ESS Profile:

essid Guest enable security-profile IntCP ess-version 0 tunnel-type configured-vlan-only vlan name productionVlan gre name "" multicast-to-unicast-conversion virtual-port countermeasure ap-vlan-tag 0 band-steering-mode disable band-steering-timeout 5 dataplane tunneled ssid MC1500-Guest owner controller ap-discovery join-ess ap-discovery join-virtual-ap publish-essid publish-essid-vport disabled beacon dtim-period 1 beacon period 100 supported-tx-rates 802.11b 1 supported-tx-rates 802.11b 2 supported-tx-rates 802.11b 5.5 supported-tx-rates 802.11b 11 supported-tx-rates 802.11a 6 supported-tx-rates 802.11a 9 supported-tx-rates 802.11a 12 supported-tx-rates 802.11a 18 supported-tx-rates 802.11a 24 supported-tx-rates 802.11a 36 supported-tx-rates 802.11a 48 supported-tx-rates 802.11a 54 supported-tx-rates 802.11an 6 supported-tx-rates 802.11an 9 supported-tx-rates 802.11an 12 supported-tx-rates 802.11an 18 supported-tx-rates 802.11an 24 supported-tx-rates 802.11an 36 supported-tx-rates 802.11an 48 supported-tx-rates 802.11an 54 supported-tx-rates 802.11an-mcs 0 supported-tx-rates 802.11an-mcs 1 supported-tx-rates 802.11an-mcs 2 supported-tx-rates 802.11an-mcs 3 supported-tx-rates 802.11an-mcs 4 supported-tx-rates 802.11an-mcs 5 supported-tx-rates 802.11an-mcs 6 supported-tx-rates 802.11an-mcs 7 supported-tx-rates 802.11an-mcs 8 supported-tx-rates 802.11an-mcs 9 supported-tx-rates 802.11an-mcs 10 supported-tx-rates 802.11an-mcs 11 supported-tx-rates 802.11an-mcs 12 supported-tx-rates 802.11an-mcs 13 supported-tx-rates 802.11an-mcs 14 supported-tx-rates 802.11an-mcs 15 supported-tx-rates 802.11an-mcs 16 supported-tx-rates 802.11an-mcs 17 supported-tx-rates 802.11an-mcs 18 supported-tx-rates 802.11an-mcs 19 supported-tx-rates 802.11an-mcs 20 supported-tx-rates 802.11an-mcs 21 supported-tx-rates 802.11an-mcs 22 supported-tx-rates 802.11an-mcs 23 supported-tx-rates 802.11g 6 supported-tx-rates 802.11g 9 supported-tx-rates 802.11g 12 supported-tx-rates 802.11g 18 supported-tx-rates 802.11g 24 supported-tx-rates 802.11g 36 supported-tx-rates 802.11g 48 supported-tx-rates 802.11g 54 supported-tx-rates 802.11bg 1 supported-tx-rates 802.11bg 2 supported-tx-rates 802.11bg 5.5 supported-tx-rates 802.11bg 11 supported-tx-rates 802.11bg 6 supported-tx-rates 802.11bg 9 supported-tx-rates 802.11bg 12 supported-tx-rates 802.11bg 18 supported-tx-rates 802.11bg 24 supported-tx-rates 802.11bg 36 supported-tx-rates 802.11bg 48 supported-tx-rates 802.11bg 54 supported-tx-rates 802.11bgn 1 supported-tx-rates 802.11bgn 2 supported-tx-rates 802.11bgn 5.5 supported-tx-rates 802.11bgn 11 supported-tx-rates 802.11bgn 6 supported-tx-rates 802.11bgn 9 supported-tx-rates 802.11bgn 12 supported-tx-rates 802.11bgn 18 supported-tx-rates 802.11bgn 24 supported-tx-rates 802.11bgn 36 supported-tx-rates 802.11bgn 48 supported-tx-rates 802.11bgn 54 supported-tx-rates 802.11bgn-mcs 0 supported-tx-rates 802.11bgn-mcs 1 supported-tx-rates 802.11bgn-mcs 2 supported-tx-rates 802.11bgn-mcs 3 supported-tx-rates 802.11bgn-mcs 4 supported-tx-rates 802.11bgn-mcs 5 supported-tx-rates 802.11bgn-mcs 6 supported-tx-rates 802.11bgn-mcs 7 supported-tx-rates 802.11bgn-mcs 8 supported-tx-rates 802 .11bgn-mcs 9 supported-tx-rates 802 .11bgn-mcs 10 supported-tx-rates 802 .11bgn-mcs 11 supported-tx-rates 802 .11bgn-mcs 12 supported-tx-rates 802 .11bgn-mcs 13 supported-tx-rates 802 .11bgn-mcs 14 supported-tx-rates 802 .11bgn-mcs 15 supported-tx-rates 802.11bgn-mcs 16 supported-tx-rates 802.11bgn-mcs 17 supported-tx-rates 802.11bgn-mcs 18 supported-tx-rates 802.11bgn-mcs 19 supported-tx-rates 802.11bgn-mcs 20 supported-tx-rates 802.11bgn-mcs 21 supported-tx-rates 802.11bgn-mcs 22 supported-tx-rates 802.11bgn-mcs 23 base-tx-rates 802.11b 11 base-tx-rates 802.11a 6 base-tx-rates 802.11a 12 base-tx-rates 802.11a 24 base-tx-rates 802.11an 6 base-tx-rates 802.11an 12 base-tx-rates 802.11an 24 base-tx-rates 802.11g 6 base-tx-rates 802.11g 9 base-tx-rates 802.11g 12 base-tx-rates 802.11g 18 base-tx-rates 802.11g 24 base-tx-rates 802.11g 36 base-tx-rates 802.11g 48 base-tx-rates 802.11g 54 base-tx-rates 802.11bg 11 base-tx-rates 802.11bg n 11 accounting interim-interval 3600 accounting primary-radius "" accounting secondary-radius "" overflow-from "" no multicast-enable no silent-client-enable no multiple-ip-per-station no expedited-forward-override no wmm-support no apsd-support no multicast-mac-transparency no ap-vlan-priority ess-ap 3 1 calls-per-bss 0 exit ess-ap 1 1 calls-per-bss 0 exit ess-ap 1 2 calls-per-bss 0 exit exit

SNMP

snmp-server community public 192.168.5.242 rw

Configuring Internal Captive Portal (ICP)

VLAN Definitions

vlan productionVlan tag 59

ip dhcp-server 0.0.0.0

ip address 172.16.59.10 255.255.255.0

ip default-gateway 172.16.59.1

ip dhcp-passthrough

tag 59

owner controller

vlan-version 0

interface FastEthernet controller 1

no ip dhcp-override

exit

vlan isolationVlan tag 46

ip dhcp-server 0.0.0.0

ip address 172.16.46.10 255.255.255.0

ip default-gateway 172.16.46.1

ip dhcp-passthrough

tag 46

owner controller

vlan-version 0

interface FastEthernet controller 1

no ip dhcp-override

exit

Firewall rules:

For unauthenticated users:

qosrule 3000 netprotocol 0 qosprotocol none
firewall-filter-id unauthUser
firewall-filter-id-match on
dstip 172.16.46.2
dstip-match on
dstmask 255.255.255.0
dstport 0
srcip 0.0.0.0
srcmask 0.0.0.0
srcport 
action forward
droppolicy tail
priority 0
avgpacketrate 0
tokenbucketrate 0
dscp disabled
qosrulelogging off
qosrule-logging-frequency 60
packet-min-length 0
packet-max-length 0
no trafficcontrol
exit
qosrule 3010 netprotocol 0 qosprotocol none
firewall-filter-id unauthUser
firewall-filter-id-match on
dstip 0.0.0.0
dstmask 0.0.0.0
dstport 0
srcip 172.16.46.2
srcip-match on
srcmask 255.255.255.0
srcport 0
action forward
droppolicy tail
priority 0
avgpacketrate 0
tokenbucketrate 0
dscp disabled
qosrulelogging off
qosrule-logging-frequency 60
packet-min-length 0
packet-max-length 0
no trafficcontrol
exit

For authenticated users:

There are no required firewall rules for this. Whatever the admin wants to use to restrict access for their registered users.

Security Profile:

security-profile IntCP
security-version 0

key-rotation disabled

allowed-l2-modes clear

captive-portal webauth

captive-portal-auth-method internal

psk key ""

firewall-capability configured

passthrough-firewall-filter-id unauthUser

firewall-filter-id authUser

security-logging off

owner controller

static-wep key ""

static-wep key-index 1

rekey period 0

group-rekey interval 0

radius-server primary ""

radius-server secondary ""

auth-supplicant-timeout 30

auth-server-timeout 30

auth-max-request 4

pae-max-reauth 4

pae-txperiod 30 
no kddi

no shared-authentication

no rekey period

no 8021x-network-initiation

no fast-handoff

no pmk-caching

no reauth

no macfiltering

exit

ESS Profile:

essid Guest
enable
security-profile IntCP
ess-version 0
tunnel-type configured-vlan-only
vlan name productionVlan
gre name ""
multicast-to-unicast-conversion

virtual-port
countermeasure
ap-vlan-tag 0

band-steering-mode disable

band-steering-timeout 5 
dataplane tunneled
ssid MC1500-Guest
owner controller
ap-discovery join-ess
ap-discovery join-virtual-ap
publish-essid
publish-essid-vport disabled
beacon dtim-period 1
beacon period 100
supported-tx-rates 802.11b 1
supported-tx-rates 802.11b 2
supported-tx-rates 802.11b 5.5
supported-tx-rates 802.11b 11
supported-tx-rates 802.11a 6
supported-tx-rates 802.11a 9
supported-tx-rates 802.11a 12
supported-tx-rates 802.11a 18

supported-tx-rates 802.11a 24

supported-tx-rates 802.11a 36

supported-tx-rates 802.11a 48

supported-tx-rates 802.11a 54

supported-tx-rates 802.11an 6

supported-tx-rates 802.11an 9

supported-tx-rates 802.11an 12

supported-tx-rates 802.11an 18
supported-tx-rates 802.11an 24
supported-tx-rates 802.11an 36

supported-tx-rates 802.11an 48

supported-tx-rates 802.11an 54

supported-tx-rates 802.11an-mcs 0

supported-tx-rates 802.11an-mcs 1

supported-tx-rates 802.11an-mcs 2

supported-tx-rates 802.11an-mcs 3

supported-tx-rates 802.11an-mcs 4

supported-tx-rates 802.11an-mcs 5

supported-tx-rates 802.11an-mcs 6

supported-tx-rates 802.11an-mcs 7

supported-tx-rates 802.11an-mcs 8

supported-tx-rates 802.11an-mcs 9

supported-tx-rates 802.11an-mcs 10

supported-tx-rates 802.11an-mcs 11

supported-tx-rates 802.11an-mcs 12

supported-tx-rates 802.11an-mcs 13

supported-tx-rates 802.11an-mcs 14

supported-tx-rates 802.11an-mcs 15
supported-tx-rates 802.11an-mcs 16
supported-tx-rates 802.11an-mcs 17
supported-tx-rates 802.11an-mcs 18
supported-tx-rates 802.11an-mcs 19
supported-tx-rates 802.11an-mcs 20
supported-tx-rates 802.11an-mcs 21
supported-tx-rates 802.11an-mcs 22
supported-tx-rates 802.11an-mcs 23
supported-tx-rates 802.11g 6

supported-tx-rates 802.11g 9

supported-tx-rates 802.11g 12

supported-tx-rates 802.11g 18

supported-tx-rates 802.11g 24

supported-tx-rates 802.11g 36
supported-tx-rates 802.11g 48

supported-tx-rates 802.11g 54

supported-tx-rates 802.11bg 1

supported-tx-rates 802.11bg 2

supported-tx-rates 802.11bg 5.5

supported-tx-rates 802.11bg 11

supported-tx-rates 802.11bg 6

supported-tx-rates 802.11bg 9

supported-tx-rates 802.11bg 12

supported-tx-rates 802.11bg 18

supported-tx-rates 802.11bg 24

supported-tx-rates 802.11bg 36

supported-tx-rates 802.11bg 48

supported-tx-rates 802.11bg 54

supported-tx-rates 802.11bgn 1

supported-tx-rates 802.11bgn 2

supported-tx-rates 802.11bgn 5.5

supported-tx-rates 802.11bgn 11

supported-tx-rates 802.11bgn 6

supported-tx-rates 802.11bgn 9

supported-tx-rates 802.11bgn 12

supported-tx-rates 802.11bgn 18

supported-tx-rates 802.11bgn 24

supported-tx-rates 802.11bgn 36

supported-tx-rates 802.11bgn 48

supported-tx-rates 802.11bgn 54
supported-tx-rates 802.11bgn-mcs 0

supported-tx-rates 802.11bgn-mcs 1

supported-tx-rates 802.11bgn-mcs 2

supported-tx-rates 802.11bgn-mcs 3

supported-tx-rates 802.11bgn-mcs 4

supported-tx-rates 802.11bgn-mcs 5

supported-tx-rates 802.11bgn-mcs 6

supported-tx-rates 802.11bgn-mcs 7
supported-tx-rates 802.11bgn-mcs 8
supported-tx-rates 802 .11bgn-mcs 9

supported-tx-rates 802 .11bgn-mcs 10

supported-tx-rates 802 .11bgn-mcs 11

supported-tx-rates 802 .11bgn-mcs 12

supported-tx-rates 802 .11bgn-mcs 13

supported-tx-rates 802 .11bgn-mcs 14

supported-tx-rates 802 .11bgn-mcs 15
supported-tx-rates 802.11bgn-mcs 16
supported-tx-rates 802.11bgn-mcs 17
supported-tx-rates 802.11bgn-mcs 18
supported-tx-rates 802.11bgn-mcs 19
supported-tx-rates 802.11bgn-mcs 20
supported-tx-rates 802.11bgn-mcs 21
supported-tx-rates 802.11bgn-mcs 22
supported-tx-rates 802.11bgn-mcs 23
base-tx-rates 802.11b 11

base-tx-rates 802.11a 6

base-tx-rates 802.11a 12

base-tx-rates 802.11a 24

base-tx-rates 802.11an 6

base-tx-rates 802.11an 12

base-tx-rates 802.11an 24

base-tx-rates 802.11g 6

base-tx-rates 802.11g 9

base-tx-rates 802.11g 12

base-tx-rates 802.11g 18

base-tx-rates 802.11g 24

base-tx-rates 802.11g 36

base-tx-rates 802.11g 48

base-tx-rates 802.11g 54

base-tx-rates 802.11bg 11

base-tx-rates 802.11bg n 11

accounting interim-interval 3600

accounting primary-radius ""

accounting secondary-radius ""
overflow-from ""
no multicast-enable

no silent-client-enable
no multiple-ip-per-station

no expedited-forward-override 
no wmm-support
no apsd-support

no multicast-mac-transparency

no ap-vlan-priority
ess-ap 3 1

calls-per-bss 0

exit
ess-ap 1 1

calls-per-bss 0

exit
ess-ap 1 2

calls-per-bss 0

exit

exit

SNMP

snmp-server community public 192.168.5.242 rw

FortiWLC Integration

Configuring Internal Captive Portal (ICP)