Describes how to install a custom Certificate SSL on your FortiGate firewall to avoid HTTPS warnings
Note: Your Cloudi-FI Guest SSID/Subnet should already be configured to apply the following procedure.
If you haven’t configured your Cloudi-FI Guest SSID yet, please follow this article: FortiGate integration.
1) Install the public certificate
Go to User & Devices Authentication Settings Certificate Create :
-
Add the certificate file
-
Add the private key file
-
Provide a password to protect your certificate
-
Provide a Name for this object
Then select this certificate and click Apply.
2) Enable HTTPS Redirection
Connect to the Fortigate GUI
Open the CLI console and run the following commands:
config user setting
set auth-secure-http enable
set auth-cert "guest.poc.cloudi-fi.net"
end
3) Configure an FQDN for your FortiGate
Configure an FQDN for your FortiGate:
This will result in the guest user being redirected to this FQDN instead of the Fortigate IP Address.
This also implies that you must provide/purchase a public certificate for this FQDN to avoid a certificate warning on the guest’s device.
Finally, the Cloudi-Fi Support team can provide you with a Cloudi-Fi certificate to make it easier.
This certificate should be renewed every year after the certificate expiration.
Always from the CLI Console, run the following commands:
config firewall auth-portal
set portal-addr "guest.poc.cloudi-fi.net"
end
Note that guest.poc.cloudi-fi.net is a domain name owned by Cloudi-Fi. You could use this FQDN if you use the Cloudi-Fi public certificate.
If you prefer to use your domain and certificate, replace them with your domain.
4) Local DNS Record
Go to Network DNS Servers to configure the DNS database server with static DNS entries:
You may need to activate the feature in:
System - Feature Visibility - Additional Features - DNS Database.
Create DNS Service on Interface, where the guest users will be connecting, with Recursive as the mode:
Next, create a DNS Database:
And within this DNS database, create the DNS static entry as shown below:
Save the settings in DNS; the next step is to edit your DHCP configuration on the Guest interface. You can choose between the IP address of your interface:
Or Specify a public IP address
5) Results
The users behind this Guest SSID will get IP from this DHCP range and will be able to resolve the static DNS entry (guest.poc.cloudi-fi.net) in the DNS database as below:
-
When trying to resolve guest.poc.cloudi-fi.net :
You can visit our Fortinet partner page here for more information about our solutions
More details about Cloudi-Fi Captive portal solutions
More details about Cloud-Fi SD Wan Solutions