Captive portal WiFi access control

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will configure the FortiGate for captive portal access so users can log on to your WiFi network.

You will create a user account (rgreen), add it to a user group (employees), create a captive portal SSID (example-staff), and configure a FortiAP unit. When the user attempts to browse the Internet, they will be redirected to the captive portal login page and asked to enter their username and password.

1. Enabling HTTPS authentication

Go to User & Device > Authentication Settings.

Under Protocol Support, enable Redirect HTTP Challenge to a Secure Channel (HTTPS). This will make sure that user credentials are communicated securely through the captive portal.

2. Creating the user

Go to User & Device > User Definition and create a Local user (rgreen).

Create additional users if needed, and assign any authentication methods.

3. Creating the user group

Go to User & Device > User Groups and create a user group (employees).

Add rgreen to the group.

4. Creating the SSID

Go to WiFi & Switch Controller > SSID and configure the wireless network.

Enter an Interface Name (example-wifi) and IP/Network Mask.

An address range under DHCP Server will be automatically configured.
Under WiFi Settings, enter an SSID name (example-staff), set Security Mode to Captive Portal, and add the employees user group.

5. Creating the security policy

Go to Policy & Objects > Addresses and create a new address for the SSID (example-wifi-net).

Set Subnet/IP Range to the same range set on the DHCP server in the previous step.

Set Interface to the SSID interface.

Go to Policy & Objects > IPv4 Policy and create a new policy for WiFi users to connect to the Internet.

Add both the example-wifi-net address and employees user group to Source.

6. Connecting and authorizing the FortiAP

Go to Network > Interfaces and edit an available interface.

Under Address, set Addressing mode to Dedicated to Extension Device and assign it an IP address.

Connect the FortiAP unit to the configured interface, then go to WiFi & Switch Controller > Managed FortiAPs.

The FortiAP is listed, but its State shows a greyed-out question mark — this is because it is waiting for authorization.

Highlight the FortiAP and select Authorize.

The question mark is now replaced by a red down-arrow — this is because it is authorized, but still offline.

Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile.

For each radio, enable Radio Resource Provision and select your SSID.

Go back to WiFi & Switch Controller > Managed FortiAPs to verify that the FortiAP unit is online.

7. Results

When a user attempts to connect to the wireless network, they will be redirected to the captive portal login screen.

Members of the employees group must enter their Username and Password. The user will then be redirected to the URL originally requested.

On the FortiGate, go to Monitor > WiFi Client Monitor to verify that the user is authenticated.
Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow

Latest posts by Adam Bristow (see all)

  • Was this helpful?
  • Yes   No
Some FortiGate models may show the GUI path as WiFi & Switch Controller.
  • Miguel Angel Naveda Zavaleta

    Is there a way to config this with third brand AP or Wired Networks?

    • Victoria Martin

      Hi Miguel,

      The wireless controller on a FortiGate can only manage FortiAPs. However, you can use a Captive Portal on wired networks by editing the FortiGate interface connected to that network and setting Security Mode to Captive Portal.

  • alcg

    Hi, for how long is the authentication valid? I mean, for how long can the user browse before the captive portal shows up again? Is this a configurable value? Thanks

    • Kerrie Newton

      Hello,

      By default the maximum authentication session is 24 hours (1440 minutes).

      The timeout period is configurable via the CLI:

      config user setting
      edit
      set auth-timeout
      set auth-timeout-type {idle-timeout | hard-timeout | new-session}
      end

      Technical Note: Explanation of auth-timeout types for Firewall authentication users
      http://kb.fortinet.com/kb/documentLink.do?externalID=FD37221

      Regards,
      Kerrie

  • Thomas Texier

    Hello,

    Could you explain how to transmit the password through HTTPS please?
    Thanks.

    Regards,

    • Adam Bristow

      Hello Thomas,

      Could you clarify exactly what you are asking? I’m not sure I understand your question.

      Regards,

      Adam

      • Thomas Texier

        Hi,

        I mean when people enter their login/password on the captive portal, it is posted as http ; not https.

        Since the connection to the wireless network is open, anyone could capture the password.

        Regards,

        • Adam Bristow

          Hello Thomas,

          Thank you – I believe I have found a solution to this problem.
          In the FortiGate, go to User & Device > Authentication Settings, and make sure Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled.
          Upon testing, this has opened the Captive Portal with HTTPS.

          Regards,

          Adam

          • Thomas Texier

            Hi,

            I can’t test right now but the problem with that way is that people will be redirected to the wifi fortigate’s IP and they’ll get a https warning since the fortigate won’t be able to present a certificate with the corresponding CN trusted by the clients.

            There should be a way to specifiy a FQDN to use and configure an appropriate certificate. Since it’s possible to have multiple wifi networks, we would need to specify the FQDN and certificate to use per wifi SSID.

            Regards,

          • Adam Bristow

            Hello,

            There is a way you can specify an FQDN, however it would be outside the scope of this recipe. It involves configuring a FortiAuthenticator device as a RADIUS server, through which users are granted authentication. We have a recipe related to this below:
            http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/

            In Step 3, you set the Authentication Portal to External, rather than Local, and enter the FortiAuthenticator’s FQDN. This is the URL that users will navigate to for the captive portal.

            I hope this is helpful, otherwise I’d recommend contacting Fortinet Customer Service & Support:
            https://support.fortinet.com/

            Regards,

            Adam