Social WiFi Captive Portal with FortiAuthenticator (Form-based)

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

WiFi authentication using a forms-based portal provides access control without having to manually create guest accounts.

This recipe involves setting up a social portal RADIUS service on the FortiAuthenticator, and configuring the FortiGate for Captive Portal access, allowing users to log in to the WiFi network using either SMS or e-mail self-registration.

This recipe is similar to the Captive portal WiFi access control recipe, but involves RADIUS authentication, and does not include FortiAP registration instructions.

1. Configuring the social portal RADIUS service on FortiAuthenticator

Go to Authentication > User Management > User Groups, and create a Social_Users user group.

Users that log in through the forms-based authentication method will be placed in this group once it is added to the Captive Portal General Settings. 

Go to Authentication > RADIUS Service > Clients, and create a new RADIUS client.

Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56).

Enable the Social portal captive portal.

 

Enter the pre-shared Secret and set the Authentication method. The FortiGate will use this secret key in its RADIUS configuration.

Add the Social_Users user group to the Realms group filter as shown.

Select Save and then OK.

Next go to Authentication > Captive Portal > General and enable Social Portal.

Configure the account expiry time (in the example it is set to 1 hour).

Set Place registered users into a group to Social_Users.

Enable the SMS self-registration and e-mail self-registration login options. Be sure SMS gateway is set to Use default.

2. Configuring the FortiGate authentication settings

On the FortiGate, go to User & Device > Authentication > RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP and pre-shared secret.

Use the Test Connectivity option with valid credentials to test the connection.

Next, go to User & Device > User > User Groups and create a RADIUS user group called social_users.

Set the Type to Firewall and add the RADIUS server to the Remote groups table.

3. Configuring the FortiGate WiFi settings

Go to WiFi & Switch Controller > WiFi Network > SSID and select the SSID interface.

Under WiFi Settings, set the Security Mode to Captive Portal.

For the Authentication Portal, select External, and enter the FQDN of the FortiAuthenticator, followed by /social_login/.

For this recipe, it is set to:

https://fortiauthenticator.example.com/social_login/

Set User Groups to the social_users group.

4. Configuring the FortiGate to allow access to FortiAuthenticator

On the FortiGate, go to Policy & Objects > Objects > Addresses and add the FortiAuthenticator firewall object.

For Subnet/IP Range enter the IP address of the FortiAuthenticator.

Go to Policy & Objects > Policy > IPv4 and create the FortiAuthenticator access policy.

Set Incoming Interface to the WiFi SSID interface and set Source Address to all.

Set Outgoing Interface to the Internet-facing interface and set Destination Address to FortiAuthenticator.

Set Service to ALL and enable NAT.

Add the following to exempt the FortiAuthenticator access policy from the Captive Portal:

config firewall policy
   edit <policy_id>
      set captive-portal-exempt enable
   next
end

This command allows access to the external Captive Portal.

5. Results

Connect to the WiFi and attempt to browse the Internet. You will be redirected to the Captive Portal splash page.

Select Form-based and you should be redirected to the Form-based authentication login page.

Select your preferred Verification method, enter valid credentials, and select Submit. You will be redirected to the URL initially requested.

You can now browse freely until the social login account expires, as configured on the FortiAuthenticator under Authentication > Captive Portal > General.

To view the authenticated user added on FortiAuthenticator, go to Authentication > User Management > Social Login Users.

You can configure Captive Portal to use other social WiFi logins:

 

Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow

Latest posts by Adam Bristow (see all)

  • Was this helpful?
  • Yes   No
  • Mats Lejon

    Hello

    I have just set this up for our students, and it seems to work fine.

    I had one problem when I tried to set it up, and the solution may be useful to others, so I post it here.

    Our problem was that when I had followed this instruction and set up everything, and connected to the protected network, we got a certificate error. This was not about the certificate from the Fortiauthenticator, that one is a signed and correct certificate. It turned out that it was the certificate from the Fortigate that the browser complained about. When I accepted that certificate, I was correctly redirected to the Fortiauthenticator, and could log in there.

    After quite some time of experimenting with a small Fortigate we have just for testing, it turned out that the problem was a setting in the production Fortigate. Under User and Device / Authentication Settings is a checkbox “Redirect HTTP Challenge to a Secure Channel (HTTPS)” that we had checked. It was checked because before we set up this social login, we used the local Captive Portal on the Fortigate, so we wanted our users to login on a https page.

    So, when I unchecked that box, everything worked as it should. I connect to the protected network, I get an http redirect from the Fortigate to the Fortiauthenticator, and a https page from the Fortiauthenticator.

    With that box checked, I get a https redirect from the Fortigate to the Fortiauthenticaor. Since the Fortigate uses a URL like https://172.27.0.1/ or whatever the interface is set to, you can not have a correct signed certificate for that, so most browsers will complain about that.

    / Mats Lejon, University West, Sweden

    • Adam Bristow

      Mats,

      Thank you very much for your helpful comment! This is definitely a worthwhile point to make that other may miss, it’s greatly appreciated.

      Best regards,

      Adam

  • Hassaan Mustafa

    HI adams, your help has been very valueble to me. In mean time, can you please confirm me one last thing… that captive portal should pop-up by its self once a user connect to ssid ? right now, when a user connects to SSID, the captive portal doesnt appear by itself, and he/she have to manually do it. can you please confirm if this has to done manually or it should come automatically ?

    • Adam Bristow

      Hello Hassaan,

      You’re welcome! Anything I can do to help.

      The Captive Portal login splash page should appear automatically, however it may only appear when the user has connected to the SSID and then opened a web browser. In my experience, this is what triggers the user-redirection and for the portal to open.

      Regards,

      Adam

      • Hassaan Mustafa

        well, i tried all the possibilities but seems like automatic pop-up is not working as well as redirect function. i think its related to firmware of the wifi controller. but any ways. your help has been extremely useful for me.

  • slmrvoge

    A question with the sms authentication. If the user leave the process to rad the sms in the message app, the process stats again. Any ideas with this case?

  • Ronald

    Greta post but I’d like to now how to user Social Login along with Administrator Approval. Is that possible ?

    • Adam Bristow

      Hello Ronald,
      Thank you for your question.

      Unfortunately this is not possible at this time. It also defeats the purpose of the feature, which is open guest access but with traceability for legal reasons.

      Please don’t hesitate to ask any further questions.

      Adam