Social WiFi Captive Portal with FortiAuthenticator (Google+)

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

WiFi authentication using social media provides access control without having to manually create guest accounts.

This recipe involves configuring an API for Google+ accounts, setting up a social portal RADIUS service on the FortiAuthenticator, and configuring the FortiGate for Captive Portal access.
 
This recipe is similar to the Captive portal WiFi access control recipe, but involves external security mode configuration, RADIUS authentication, and does not include FortiAP registration instructions.
 
Note that some minimal CLI usage is required when configuring the FortiGate.
 
The FortiAuthenticator has been given an example fully qualified domain name (FQDN) — fortiauthenticator.example.com.

1. Configuring the Google+ developer account API

Open a browser and log in to your Google account. In the URL field enter the following:

https://console.developers.google.com

Under Select a project, select Create a project.

Enter a Project name, and accept the Terms of Service before continuing.

Go to APIs & auth > Credentials, and select OAuth 2.0 client ID from the Add credentials dropdown.

When prompted, select Configure consent screen. Enter an Email address and Product name. You must now create the client ID.

Set Application type to Web application. Under Authorized JavaScript origins, enter the FortiAuthenticator FQDN.

Under Authorized redirect URIs, enter the following:

https://fortiauthenticator.example.com/social/complete/google-oauth2/

Note that the FortiAuthenticator needs to be able to access the Internet.

Upon creating the client ID, a window will appear with your client ID and client secret.

Take note of the client ID and client secret as they are required when configuring the Captive Portal on the FortiAuthenticator.

The client ID and client secret can be accessed at any time on the Google developer account, but it may be a good idea to copy them to a secure location.

Go to APIs & auth > APIs > Social APIs, and select Google+ API.

Enable the API.

2. Configuring the social portal RADIUS service on FortiAuthenticator

On the FortiAuthenticator, go to Authentication > User Management > User Groups, and create a Social_Users user group.

Users that log into Google will be placed in this group once it is added to the Captive Portal General Settings.

 

Go to Authentication > RADIUS Service > Clients, and create a new RADIUS client.

Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56).

Enable the Social portal captive portal.

 

Enter the pre-shared Secret and set the Authentication method. The FortiGate will use this secret key in its RADIUS configuration.

Add the Social_Users user group to the Realms group filter as shown.

Select Save and then OK.

 

Next go to Authentication > Captive Portal > General and enable Social Portal.

Configure the account expiry time (in the example it is set to 1 hour).

Set Place registered users into a group to Social_Users.

Enable the Google login option and add your Google key and Google secret.

 

3. Configuring the FortiGate authentication settings

On the FortiGate, go to User & Device > Authentication > RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP and pre-shared secret.

Use the Test Connectivity option with valid credentials to test the connection.

Next, go to User & Device > User > User Groups and create a RADIUS user group called social_users.

Set the Type to Firewall and add the RADIUS server to the Remote groups table.

4. Configuring the FortiGate WiFi settings

Go to WiFi & Switch Controller > WiFi Network > SSID and select the SSID interface.

Under WiFi Settings, set the Security Mode to Captive Portal.

For the Authentication Portal, select External, and enter the FQDN of the FortiAuthenticator, followed by /social_login/.

For this recipe, it is set to:

https://fortiauthenticator.example.com/social_login/

Set User Groups to the social_users group.

5. Configuring the FortiGate to allow access to Google

On the FortiGate, configure firewall addresses to allow users to access the Google login page.

The following step can be performed in the GUI, but may take considerably longer than using the CLI. You can also copy and paste the commands below into the CLI console.

Go to System > Dashboard and enter the CLI Console. Enter the following, which creates the firewall addresses and adds them to a firewall address group called Google_Auth:

config firewall address
   edit "www.googleapis.com"
      set type fqdn
      set fqdn "www.googleapis.com"
   next
   edit "accounts.google.com"
      set type fqdn
      set fqdn "accounts.google.com"
   next
   edit "ssl.gstatic.com"
      set type fqdn
      set fqdn "ssl.gstatic.com"
   next
   edit "fonts.gstatic.com"
      set type fqdn
      set fqdn "fonts.gstatic.com"
   next
   edit "www.gstatic.com"
      set type fqdn
      set fqdn "www.gstatic.com"
   next
   edit "Google_13"
      set subnet 216.58.192.0 255.255.224.0
   next
end
config firewall addrgrp
   edit "Google_Auth"
      set member "ssl.gstatic.com" "accounts.google.com" "www.googleapis.com"
      "fonts.gstatic.com" "www.gstatic.com" "Google_13"
   next
end

Go to Policy & Objects > Policy > IPv4 and create a policy for Google authentication traffic.

Set Incoming Interface to the WiFi SSID interface and set Source Address to all.

Set Outgoing Interface to the Internet-facing interface and set Destination Address to Google_Auth.

Set Service to ALL and enable NAT. Configure Security Profiles accordingly.

Go to System > Dashboard and enter the CLI Console. Add the following to exempt the Google authentication traffic policy from the captive portal:

config firewall policy
   edit <policy_id>
      set captive-portal-exempt enable
   next
end

This command allows access to the external Captive Portal.

6. Configuring the FortiGate to allow access to FortiAuthenticator

On the FortiGate, go to Policy & Objects > Objects > Addresses and add the FortiAuthenticator firewall object.

For Subnet/IP Range enter the IP address of the FortiAuthenticator.

Go to Policy & Objects > Policy > IPv4 and create the FortiAuthenticator access policy.

Set Incoming Interface to the WiFi SSID interface and set Source Address to all.

Set Outgoing Interface to the Internet-facing interface and set Destination Address to FortiAuthenticator.

Set Service to ALL and enable NAT.

Add the following to exempt the FortiAuthenticator access policy from the Captive Portal:

config firewall policy
   edit <policy_id>
      set captive-portal-exempt enable
   next
end

7. Results

Connect to the WiFi and attempt to browse the Internet. You will be redirected to the Captive Portal splash page.

Select Google and you should be redirected to the Google login page.

Enter valid Google credentials and you will be redirected to the URL initially requested.

You can now browse freely until the social login account expires, as configured on the FortiAuthenticator under Authentication > Captive Portal > General.

To view the authenticated user added on FortiAuthenticator, go to Authentication > User Management > Social Login Users.

You can configure Captive Portal to use other social WiFi logins:

Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow
  • Was this helpful?
  • Yes   No