Skip to main content

Fortigate integration - Enable Cloudi-Fi captive portal in FortiOS

Alexandre de THOMASSON
  • Updated

Describes how to configure your Fortinet Fortigate to activate the Cloudi-Fi splash page feature

                                                            

Learn how to launch the cloudi-fi captive portal natively from Fortigate:

This article describes FortiGate captive portal configuration. Cloudi-Fi can launch the captive portal natively from the FortiGate, avoiding any local setup in any WiFi infrastructure. The only requirement is that the guest traffic is routed to the FortiGate as described in the diagram and workflow below:

Fortigate integration with Cloudi-Fi captive portal diagram:

 

Cloudi-Fi captive portal SSID and Radius configuration diagram: 

Please note that as an alternative, you can configure Cloudi-Fi with IPSEC/GRE tunnels as described in WAN deployment KB.

 

Cloudi-Fi cloud captive portal deployment configuration steps:

  1. Get Cloudi-Fi required URL and RADIUS secret

  2. Create Cloudi-Fi Radius Server

  3. Configure Captive Portals Settings
    3a. WiFi Deployment
    3b. Interface Deployment

  4. Enable HTTP auth-type

  5. Configure Security Policy

Validated with FortiOS 6.2.5 build 1142

 

1) Get Cloudi-Fi required URL and RADIUS secret

Go to your Cloudi-Fi administration interface and get the URL for external authentication.

Go to Locations Menu

Click on the menu button of the location and select "Copy Splash page URI"

  • Copy the URI

  • Transform the URI as shown in the following screenshot

Go to the chat interface and ask for your Radius secret

  • Copy the secret as well

2) Create the Cloudi-Fi Radius server

Go to your FortiGate administration interface:

Go to User & Device RADIUS Servers Create New :

  • Name: Cloudi-Fi_Radius_Srv

  • Authentication Method: Default

  • IP/Name: radius.cloudi-fi.net

  • Secret: Provided by the Cloudi-Fi Support team

  • Save

Go to User & Device User Groups Create New :

  • Name: Cloudi-Fi_Radius_group

  • Type: Firewall

  • Remote Groups: Add Cloudi-Fi_Radius_Srv

  • Save

 

3) FortiGate Captive Portal configuration settings

Note: The Captive Portal feature can be enabled in two different ways with FortiGate, depending on your infrastructure:

  • In the FortiGate WiFi controller, if you have FortiAP (FortiGate WiFi Access Points)

  • In a FortiGate interface (physical or VLAN interface), if you have other WiFi vendors or want to enable a captive portal for wired users.

3a) Enable the Captive portal in FortiGate WiFi controller

If you have FortiAP and want to enable Cloudi-Fi in the Fortinet WiFi controller :

Go to WiFi & Switch Controller SSID Create New :

  • Provide a name and the mode (tunnel or bridge) and fill in the network information

  • WiFi settings :

  • Security mode: Captive Portal

  • Portail type: External Authentication

  • URL: https://login.cloudi-fi.net/start/CompanyKey/Location-ID?spentityid=spforti.com

  • User Groups: Cloudi-Fi_Radius_Group

  • Redirect after Captive Portal: Specific URL: https://login.cloudi-fi.net/success.php

  • Save

3b) Enable Captive Portal in FortiGate interface

If you want to enable the captive portal for your wireless and/or wired users and don't have FortiAP.

Note: Because the captive portal feature is enabled for all the traffic
of a specific interface, we recommend to have a dedicated interface
(physical or VLAN) for the Guest network.

 

Go to Networks Interfaces Edit the Guest interface:

Then go to the Network Section of the interface and enable Security Mode :

  • Security Mode: Captive Portal

  • Authentication Portal: External

  • URL: https://login.cloudi-fi.net/start/CompanyKey/Location-ID?spentityid=spforti.com

  • User Access: Restricted to Groups: Cloudi-Fi_Radius_group

  • Exempt destinations: Create an FQDN Object for:

    • login.cloudi-fi.net

    • guest-api-v1.cloudi-fi.net

    • cdn.cloudi-fi.net

  • Redirect after captive portal: https://login.cloudi-fi.net/success.php

  • Save

4) Enable HTTP auth-type

Users must first connect with a supported protocol to be redirected to the captive portal when enabling user authentication within a security policy such as a captive portal. As captive portal detection is based on HTTP, you must enable HTTP and HTTPS Auth-Type. Otherwise, the captive portal is not automatically displayed.

Go to User & Device Authentication Settings:

  • Supported protocols: Check HTTP and HTTPS

  • Save

To configure in CLI :

config user setting
   set auth-timeout 5
   set auth-type http https 
end

5) Configure the Security Policy

To finalize the configuration, you must create security rules to allow an unauthenticated user to access the captive portal.

 

Go to Policy & Objects IPv4 Policy and create the below rules in the same order:

  • Rules for unauthenticated users :

Name

Source

Destination

Service

NAT

Action

DNS

Guest interface

DNS Servers

DNS

TBD

Accept

Walled

Garden

Guest interface

FQDN_

CloudiFi

HTTPS

Yes

Accept

Cloudi-Fi's FQDN:

  • login.cloudi-fi.net

  • guest-api-v1.cloudi-fi.net

  • cdn.cloudi-fi.net

Once these rules are created, right-click on each, select "Edit in CLI" and copy/paste this command to bypass the captive portal authentication for the above rules.

set captive-portal-exempt enable
end

  • The rule for authenticated users:

Name

Source

Destination

Service

NAT

Action

Allow-Guest

Guest interface

Outside interface

ALL

Yes

Accept

Guest-Deny-All

(Optional*)

Guest interface

RFC1918:

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

ALL

No

Deny

*The explicit deny rule is optional if your FortiGate Implicit Rule is already configured to Deny all the traffic.

 

If you need more information about our solutions integrated with Fortinet SD-WAN, you can visit our partner page.

 

 

Related to

Related articles

Comments

0 comments