The following section describes how you can use FortiAuthenticator to grant remote users access to certain portions of the network using delegated authentication through a captive portal. Authentication requires the user to associate their device with the guest SSID as published by the FortiGate wireless controller.
The FortiGate facilitates access control by redirecting the user's web browser to one of the FortiAuthenticator's captive portals. As such, some FortiGate configuration is required.
The following captive portal authentication options are available:
Captive portal access is enabled on a per-FortiGate basis through the RADIUS client configuration at
Authentication > RADIUS Service > Clients > Enable captive portal.
Options are available to enable each captive portal individually:
General captive portal configuration is available under Authentication > Captive Portal > General.
The credentials portal requires known users (users who already have an account) to authenticate using their credentials (password and/or token code). The goal is to restrict access to a set of pre-authorized users only.
For the Credentials portal, the administrator must indicate which of the profiles to use for user authentication. For environments where there is one FortiWifi with multiple access points (AP), the administrator can specify a list of IP addresses for all the APs.
When the user is redirected to the Credentials portal login page, they must enter their username and password, and (optionally) their FortiToken passcode. Upon successful login, the user is redirected to the webpage originally requested.
Social Wifi authentication allows FortiAuthenticator to utilize third-party user identity methods (social sites, valid e-mail address, or phone number) to authenticate users into a wireless guest network.
The goal is to provide some traceability of users without requiring the heavy overhead of creating guest accounts.
Supported third-party authentication methods are described in the table below.
Each third-party method can be enabled or disabled on an individual basis under Authentication >
Captive Portal > General.
Third-party method | Method description | |
---|---|---|
Google + | Log-in using Google+ is an option for Google users, utilizing the OAUTH2 protocol described here: https://console.developers.google.com/start. Once logged in, the user can Add to Circles with the organization. |
|
Log-in via Facebook is known as "Facebook Connect" and is described here: https://developers.facebook.com/products/login. Once logged in, the user can Like the organization's Facebook page. |
||
Log-in via Linkedin is supported using the OAUTH2 protocol as described here: https://developer.linkedin.com/documents/authentication. Once logged in, the user can Connect with the organization. |
||
Log-in via Twitter is supported as described here: https://dev.twitter.com. Once logged in, the user can Follow the organization. |
||
Form-based authentication | Similar to the existing Self-registration page, it is possible to register by supplying user details. It is also possible to register using minimal (configurable) information, for example: e-mail or mobile-only. Such information is commonly gathered in short-term transient use locations such as airports and coffee shops. | |
SMS-based authentication | In SMS-based authentication, the user is redirected to a registration portal which requests a valid mobile phone number. When the user enters their number, a passcode is sent to their mobile device. The user then enters this passcode at the authentication screen to successfully authenticate. | |
Email-based authentication | Email-based authentication is similar to SMS-based authentication, except that the user enters their email address instead of their mobile phone number. A passcode is then sent to the user's email address. The user enters this passcode into the captive portal registration page. |
This feature is particularly useful in situations where only the identity of the user is important, for example:
The purpose is to identify and authenticate users with minimal interaction from the user, with some traceability of the users. This authentication method is less disruptive and therefore provides a better user experience.
With MAC address authentication enabled, the user attempts to open a web browser but is intercepted by the FortiGate wireless controller, and redirected to the FortiAuthenticator portal configured to record the user's MAC address (without requiring any user interaction). The user is then redirected to the webpage originally requested.
The Access Control page under Authentication > Captive Portal provides a consolidated view of which RADIUS client has access to which captive portal(s).
Custom login pages for authentication are configurable on a per device, location, or organization basis, allowing the administrator to customize content specific to a brand identity. See Captive Portal > Replacement Messages.
For example:
You can change the default disclaimer at Authentication > Captive Portal > Replacement Messages by simply editing the HTML for the Captive Portal Login Disclaimer Page item.
You can change the default splash page at Authentication > Captive Portal >
Replacement Messages by simply editing the HTML for the Captive Portal Splash Screen Page item.
Images can be managed by selecting Manage Images in the Replacement Messages window. Images can also be added, deleted, and edited.
The maximum image size is 65kB.
In the manage images screen, select an image, then select Edit.
Account expiry can be configured for Social and MAC Address portals under Authentication > Captive Portal >
General. Set the desired timeout next to Account expires after.
Account expiry is not available for the Credentials portal.
In order to allow redirection to an external captive portal and also allow the supply of identifying information about the requesting IP, some FortiGate configuration is required. The example below is configured using the CLI, with the following attributes:
Additional non-standard commands to enable the feature are provided in red.
config user radius
edit "FAC_4.0"
set server "192.168.0.122"
set secret ENC PGTVcRMZH5mFV2aWl1A1Kbqsr3ZAKcZuEdK5Jsx+2h87uBjyWR1wuU2MY07k4H46ZHuLwBKAky9Zyn0RqHEPB3Cku232hFpkOOLlI2gzPnQbPeVcfhC18sxSWvk/fpgDhUTwPoGnYofl9vLrwpPzbkzvJhaXXcgsfSTuQ5wxK/5YghiLbdq04nnnTzQd8N8QjsUE5w==
next
end
Configuration of the accounting server might not be nessesary if the RADIUS Accounting is the same as the RADIUS Auth server. |
config user group
edit "Wireless_Auth"
set member "FAC_4.0"
next
end
Configure captive portal security with an external Portal rather than the native on-FGT portal.
config wireless-controller vap
edit "fortinet"
set vdom "root"
set security captive-portal
set selected-usergroups "Wireless_Auth"
set intra-vap-privacy enable
set local-switching disable
set external-web "http://192.168.0.122/caplogin
next
end
Configure the ForiAuthenticator address or group to use as an exemption rule in the firewall policy. This is to allow traffic to flow to the FAC portal to enable authentication when the user is not yet authenticated. This group may also include any servers used to host images referenced on the FAC portal.
config firewall address
edit "FortiAuthenticator"
set type iprange
set associated-interface "internal"
set start-ip 192.168.0.122
set end-ip 192.168.0.123
next
end
If Social Wifi is enabled, this exemption group will need to consist of all Facebook, Google, LinkedIn, and/or Twitter servers used in the authentication process. |
In these firewall policies, an exemption is made to allow access to the FortiAuthenticator (rule 21) and to external Internet resources (rule 17, "For_SocialWiFi"), which may include content embedded on the portal login page (images, videos, organization website), or may be used in the future to enable exemption for Social Wifi (Google, Facebook, LinkedIn, Twitter).
config firewall policy
edit 21
set srcintf "fortinet"
set dstintf "internal"
set srcaddr "all"
set dstaddr "FortiAuthenticator"
set action accept
set schedule "always"
set service "ALL"
set captive-portal-exempt enable
next
:
:
:
edit 17
set uuid 6d71b2b4-4efd-51e4-a21f-272dd0bcdcd9
set srcintf "fortinet"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "For_SocialWiFi"
set action accept
set schedule "always"
set service "ALL"
set captive-portal-exempt enable
set nat enable
next
end