Social WiFi Captive Portal with FortiAuthenticator (Facebook)

WiFi authentication using social media provides access control without having to manually create guest accounts.

This recipe involves configuring an API for Facebook accounts, setting up a social portal RADIUS service on the FortiAuthenticator, and configuring the FortiGate for Captive Portal access.
 
This recipe is similar to the Captive portal WiFi access control recipe, but involves external security mode configuration, RADIUS authentication, and does not include FortiAP registration instructions.
 
Note that some CLI usage is required when configuring the FortiGate.
 
The FortiAuthenticator has been given an example fully qualified domain name (FQDN) — fortiauthenticator.example.com.

1. Configuring the Facebook developer account API

Open a browser and log in to your Facebook account.

In the URL field enter the following:

https://developers.facebook.com/products/login/

Select My Apps and select Register as Developer.

Confirm your Facebook password to continue.

Select that you have read and agree to the Facebook Platform and Facebook Privacy policies, and select Next to continue.

Enter your phone number and select to have your confirmation code sent to you via text (you may also choose to verify via phone call).

Once received, enter the code and select Register to continue. You will now be registered as a Facebook developer.

Next, select the Website platform to add a new app.

Enter a name for the website, and select Create New Facebook App ID.

Select Communication from the dropdown Category menu, and select Create App ID.

Scroll down to the bottom of the page and enter the site’s URL, then select Next. Scroll back up to the top of the page, and select Skip Quick Start.

To confirm the configuration, go to Settings > Basic. From here you can see your App ID, App Secret, Display Name, and Site URL.

Take note of the App ID and App Secret as they are required when configuring the Captive Portal on the FortiAuthenticator.

Make sure to enter a Contact Email as it is required before you can make your application live to the public.

Next you must add the FortiAuthenticator as an OATH2 client.

Go to Settings > Advanced.

Under Security, enter the Server IP Whitelist.

Note that the server IP whitelist must include the public IP address(es) of the FortiAuthenticator — this is the NAT IP address the FortiAuthenticator uses to reach the Internet.

Next, go to App Review and enable the application — the account needs to be made “live” before WiFi users can successfully authenticate through Facebook.

The App ID and App Secret can be accessed at any time on the Facebook developer account, but it may be a good idea to copy them to a secure location.

2. Configuring the social portal RADIUS service on FortiAuthenticator

On the FortiAuthenticator, go to Authentication > User Management > User Groups, and create a Social_Users user group.

Users that log into Facebook will be placed in this group once it is added to the Captive Portal General Settings.

Go to Authentication > RADIUS Service > Clients, and create a new RADIUS client.

Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56).

Enable the Social portal captive portal.

Enter the pre-shared Secret and set the Authentication method. The FortiGate will use this secret key in its RADIUS configuration.

Add the Social_Users user group to the Realms group filter as shown.

Select Save and then OK.

Next go to Authentication > Captive Portal > General and enable Social Portal.

Configure the account expiry time (in the example it is set to 1 hour).

Set Place registered users into a group to Social_Users.

Enable the Facebook login option and add your Facebook key and Facebook secret.

3. Configuring the FortiGate authentication settings

On the FortiGate, go to User & Device > Authentication > RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP and pre-shared secret.

Use the Test Connectivity option with valid credentials to test the connection.

Next, go to User & Device > User > User Groups and create a RADIUS user group called social_users.

Set the Type to Firewall and add the RADIUS server to the Remote groups table.

4. Configuring the FortiGate WiFi settings

Go to WiFi & Switch Controller > WiFi Network > SSID and select the SSID interface.

Under WiFi Settings, set the Security Mode to Captive Portal.

For the Authentication Portal, select External, and enter the FQDN of the FortiAuthenticator, followed by /social_login/.

For this recipe, it is set to:

https://fortiauthenticator.example.com/social_login/

Set User Groups to the social_users group.

5. Configuring the FortiGate to allow access to Facebook

On the FortiGate, configure firewall addresses to allow users to access the Facebook login page.

The following step can be performed in the GUI, but may take considerably longer than using the CLI. You can also copy and paste the commands below into the CLI console.

Go to System > Dashboard and enter the CLI Console. Enter the following, which creates the firewall addresses and adds them to a firewall address group called Facebook_Auth:

config firewall address
   edit "FB0"
      set subnet 5.178.32.0 255.255.240.0
   next
   edit "FB1"
      set subnet 195.27.154.0 255.255.255.0
   next
   edit "FB2"
      set subnet 80.150.154.0 255.255.255.0
   next
   edit "FB3"
      set subnet 77.67.96.0 255.255.252.0
   next
   edit "FB4"
      set subnet 212.119.27.0 255.255.255.128
   next
   edit "FB5"
      set subnet 2.16.0.0 255.248.0.0
   next
   edit "FB6"
      set subnet 66.171.231.0 255.255.255.0
   next
   edit "FB7"
      set subnet 31.13.24.0 255.255.248.0
   next
   edit "FB8"
      set subnet 31.13.64.0 255.255.192.0
   next
   edit "FB9"
      set subnet 23.67.246.0 255.255.255.0
   next
   edit "akamai-subnet-23.74.8"
      set subnet 23.74.8.0 255.255.255.0
   next
   edit "akamai-subnet-23.74.9"
      set subnet 23.74.9.0 255.255.255.0
   next
   edit "external.fcgr1-1.fna.fbcdn.net"
      set type fqdn
      set fqdn "external.fcgr1-1.fna.fbcdn.net"
   next
   edit "scontent.xx.fbcdn.net"
      set type fqdn
      set fqdn "scontent.xx.fbcdn.net"
   next
   edit "akamaihd.net"

      set type fqdn
      set fqdn "akamaihd.net"
   next
   edit "channel-proxy-06-frc1.facebook.com"
      set type fqdn
      set fqdn "channel-proxy-06-frc1.facebook.com"
   next
   edit "code.jquery.com"
      set type fqdn
      set fqdn "code.jquery.com"
   next
   edit "connect.facebook.com"
      set type fqdn
      set fqdn "connect.facebook.com"
   next
   edit "fbcdn-photos-c-a.akamaihd.net"
      set type fqdn
      set fqdn "fbcdn-photos-c-a.akamaihd.net"
   next
   edit "fbcdn-profile-a.akamaihd.net"
      set type fqdn
      set fqdn "fbcdn-profile-a.akamaihd.net"
   next
   edit "fbexternal-a.akamaihd.net"
      set type fqdn
      set fqdn "fbexternal-a.akamaihd.net"
   next
   edit "fbstatic-a.akamaihd.net"
      set type fqdn
      set fqdn "fbstatic-a.akamaihd.net"
   next
   edit "m.facebook.com"
      set type fqdn
      set fqdn "m.facebook.com"
   next
   edit "ogp.me"
      set type fqdn
      set fqdn "ogp.me"
   next
   edit "s-static.ak.facebook.com"
      set type fqdn
      set fqdn "s-static.ak.facebook.com"
   next
   edit "static.ak.facebook.com"
      set type fqdn
      set fqdn "static.ak.facebook.com"
   next
   edit "static.ak.fbcdn.com"
      set type fqdn
      set fqdn "static.ak.fbcdn.com"
   next
   edit "web_ext_addr_SocialWiFi"
      set type fqdn
      set fqdn "web_ext_addr_SocialWiFi"
   next
   edit "www.facebook.com"
      set type fqdn
      set fqdn "www.facebook.com"
   next
end
config firewall addrgrp
   edit "Facebook_Auth"
      set member "FB0" "FB1" "FB2" "FB3" "FB4" "FB5" "FB6" "FB7" "FB8" "FB9" "akamaisubnet-23.74.8" "akamai-subnet-23.74.9" "akamaihd.net" "channel-proxy-06-frc1.facebook.com" "code.jquery.com" "connect.facebook.com" "fbcdn-photos-ca.akamaihd.net" "fbcdn-profile-a.akamaihd.net" "fbexternal-a.akamaihd.net" "fbstatic-a.akamaihd.net" "m.facebook.com" "ogp.me" "s-static.ak.facebook.com" "static.ak.facebook.com" "static.ak.fbcdn.com" "web_ext_addr_SocialWiFi" "www.facebook.com" "FortiAuthenticator"
   next
end

Go to Policy & Objects > Policy > IPv4 and create a policy for Facebook authentication traffic.

Set Incoming Interface to the WiFi SSID interface and set Source Address to all.

Set Outgoing Interface to the Internet-facing interface and set Destination Address to Facebook_Auth.

Set Service to ALL and enable NAT. Configure Security Profiles accordingly.

Once created, note the policy’s ID using the ID column.

Go to System > Dashboard and enter the CLI Console. Using the policy’s ID, add the following to exempt the Facebook authentication traffic policy from the captive portal:

config firewall policy
   edit <policy_id>
      set captive-portal-exempt enable
   next
end

This command allows access to the external Captive Portal.

6. Configuring the FortiGate to allow access to FortiAuthenticator

On the FortiGate, go to Policy & Objects > Objects > Addresses and add the FortiAuthenticator firewall object.

For Subnet/IP Range enter the IP address of the FortiAuthenticator.

Go to Policy & Objects > Policy > IPv4 and create the FortiAuthenticator access policy.

Set Incoming Interface to the WiFi SSID interface and set Source Address to all.

Set Outgoing Interface to the Internet-facing interface and set Destination Address to FortiAuthenticator.

Set Service to ALL and enable NAT.

Once created, note the policy’s ID using the ID column.

Using the policy’s ID, add the following to exempt the FortiAuthenticator access policy from the Captive Portal:

config firewall policy
   edit <policy_id>
      set captive-portal-exempt enable
   next
end

7. Results

Connect to the WiFi and attempt to browse the Internet. You will be redirected to the Captive Portal splash page.

Select Facebook and you should be redirected to the Facebook login page.

Enter valid Facebook credentials and you will be redirected to the URL initially requested.

You can now browse freely until the social login account expires, as configured on the FortiAuthenticator under Authentication > Captive Portal > General.

To view the authenticated user added on FortiAuthenticator, go to Authentication > User Management > Social Login Users.

You can configure Captive Portal to use other social WiFi logins:

 

Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow

Latest posts by Adam Bristow (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Abdulaziz Alatar

    Hello,
    i want ask you if i make social wifi captive portal with raduis server linux without FortiAuthenticator ??

    • Adam Bristow

      Hello Abdulaziz,

      Unfortunately I’m not sure if I can answer your question as it’s outside our scope, being unrelated to Fortinet products. However, after searching online, there does seem to be a wealth of articles that may be useful to you.

      I would suggest you make sure that whatever social platform you’re using (i.e. Facebook, Twitter, etc.) is supported by RADIUS.

      Regards,

      Adam

      • Abdulaziz Alatar

        thank you very much

  • Brian Perry Ortanez

    Hi,

    Under developer account API config: Server IP whitelist, is it possible to leave it blank or provide ANY address? We are load balancing from different ISP (mix of ones with public IP and without) and FAC may throw request using links without public IP

  • Steven Polley

    It would be nice if instead of just providing user credentials in the captive portal it had functionality to verify the user liked a page. This has been requested by one of my clients and I’m looking into options for this, out of the box functionality from Fortinet would be great.

    • Adam Bristow

      Hello Steven,

      This is indeed an interesting feature that would be useful.
      I’ve since contacted the product manager for FortiAuthenticator to see if this functionality is/will be achievable.

      Thank you for your comment!

      Regards,

      Adam

  • Rodrigo Pissin

    Hi Adam,

    With this list the facebook authentication page is malformed. Please add these urls to the Facebook_Auth list to looks great.
    external.fcgr1-1.fna.fbcdn.net
    scontent.xx.fbcdn.net

    • Adam Bristow

      Rodrigo,

      Thank you for contributing this information to keep the recipe up-to-date and relevant – It’s very much appreciated!

      Regards,

      Adam

  • Yves Janssens

    Is my statement correct that by doing so you need to allow access to Facebook even without authentication? Looking at the policy no authentication is required for Facebook itself. Hence everyone can use Facebook without authentication.

    Is there no way to limit this access only to the authentication portal?

  • Ahmed Abdelsalam

    thanks for your support, but due to steps “5.Configuring the FortiGate to allow access to Facebook” the Facebook sites will be allowed for all users, and some users are working on Facebook without authentication

  • Hassaan Mustafa

    Hi, is it possible to configure SSO with the help of social login captive portal along with SMS authentication? Additionally, can you please confirm if any licenses are to be required for using SMS feature of Fortiauthenticator. I am planning to use 3rd party SMS gateway as second factor of authentication and Facebook as first . through Facebook authentication, it’s working fine but I can’t get the SMS configuration .. ADDITIONALLY, my vm is showing no license error when I try to use SMS service.. Kindly help

    • Adam Bristow

      Hello Hassaan,

      Thank you for your question!

      It is indeed possible to configure social Captive Portal with SMS authentication – see the related recipe here:
      http://cookbook.fortinet.com/social-wifi-captive-portal-with-fortiauthenticator-form-based/
      It is entitled “Form-based” as the user has to fill out form entries/fields, such as their SMS mobile number and/or their email address, as part of their authentication.

      If you follow the recipe I linked above perhaps it will solve the issues you are having with your 3rd party SMS solution.

      Regards,

      Adam

      • Hassaan Mustafa

        Thank You so much buddy.l its great.