Set up a Radius-based captive portal with FortiGate and Cloudi-Fi for user authentication
Use case
This guide provides step-by-step instructions for integrating Cloudi-Fi captive portal with FortiGate Network. This setup enables Radius-based user authentication, ensuring a secure and seamless network access experience.
Cloudi-Fi captive portal SSID and Radius configuration diagram
Please note that as an alternative, you can configure Cloudi-Fi with IPSEC/GRE tunnels as described in WAN deployment KB.
Prerequisites
Before starting, ensure you have the following prerequisites:
- Access to Cloudi-Fi's admin console
- Cloudi-Fi Radius IPs and Secret
- Access to the FortiGate
- Knowledge of your network’s IP addressing scheme
Validated with FortiOS 6.2.5 build 1142 & v7.4.1 build 2463
1. Get Cloudi-Fi captive portal URL
To create a new location in the Cloudi-fi Admin interface if it doesn't already exist, follow these instructions:
Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:
- Location Name
- Type (Redirect URL)
- Portal template
- Country
Location URL: this URL will be used to configure an External Captive Portal
- Access the Cloudi-Fi administration console
- Select the location
- Click on the menu button for the location
- Select "Copy Splash page URL"
Transform the URL as follows:
Cloudi-Fi
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spsomething.com
Fortinet FortiGate
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spforti.com
2. Get Radius information
You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.
- IPs address of the Radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
- The Secret (provided by Cloudi-Fi Support)
You can get the Secret by asking Chatbot in the Cloudi-Fi Admin Console. Cloudi-Fi’s Support team will provide you with the necessary information.
3. Create the Cloudi-Fi Radius server
Go to Fortigate administration page > User & Authentication > RADIUS Servers > Create New
- Name: Cloudi-Fi_Radius_Srv
- Authentication Method: Default
- IP/Name: Click here to obtain the IP
- Secret: Provided by the Cloudi-Fi Support team
- Click on the “OK"
Then go to Fortigate administration page > User & Authentication > User Groups > Create New
- Name: Cloudi-Fi_Radius_group
- Type: Firewall
- Remote Groups: Add Cloudi-Fi_Radius_Srv
- Click on the “OK"
4. FortiGate Captive Portal configuration settings
Note: Captive Portal can be enabled in two ways, depending on your infrastructure.
- In the FortiGate WiFi controller, if you have FortiAP (FortiGate WiFi Access Points)
- In a FortiGate interface (physical or VLAN interface), if you have other WiFi vendors or want to enable a captive portal for wired users.
4.1. Enable the Captive portal in FortiGate WiFi controller
If you have FortiAP and want to enable Cloudi-Fi in the Fortinet WiFi controller.
Go to WiFi & Switch Controller SSID Create New :
- Provide a name and the mode (tunnel) and fill in the network information
- WiFi settings: Fill in network information
Activate the DHCP server and check "PING"
- SSID: Provide the name of the SSID
- Security mode: Captive Portal
- Portail type: Authentication
- URL: Copied from the Cloudi-Fi administration console (section number 1 of this guide)
- User Groups: Cloudi-Fi_Radius_Group
- Redirect after Captive Portal: Specific URL: https://login.cloudi-fi.net/success.php
- Click “OK"
4.2. Enable Captive Portal in FortiGate interface (for wired and other WiFi vendors)
If you want to enable the captive portal for your wireless and/or wired users and don't have FortiAP.
Note: because the captive portal feature is enabled for all the traffic of a specific interface, we recommend having a dedicated interface (physical or VLAN) for the Guest network.
Then go to the Network Section of the interface and enable Security Mode :
- Security Mode: Captive Portal
- Authentication Portal: External
- URL:https://login.cloudi-fi.net/start/ch/*********/lh/*********/sp/spforti.com
User Access: Restricted to Groups: Cloudi-Fi_Radius_group
- Exempt destinations: Create an FQDN Object for:
- login.cloudi-fi.net
- login-cn.cloudi-fi.net
- guest-api-v1.cloudi-fi.net
- cdn.cloudi-fi.net
- Redirect after captive portal: https://login.cloudi-fi.net/success.php
- Click on the “OK"
5. Enable HTTP Auth-type
When enabling user authentication within a security policy such as a captive portal, users must first connect with a supported protocol to be redirected to the captive portal. As captive portal detection is based on HTTP, you must enable HTTP and HTTPS Auth-Type. Otherwise, the captive portal is not automatically displayed.
Go to Fortigate administration page > User & Authentication > Authentication Settings
- Protocol Support: Check HTTP and HTTPS
Click “Apply"
Note: you can also "enable HTTP and HTTPS Auth-Type" in CLI
config user setting
set auth-timeout 5
set auth-type http https
end
6. Configure the security policy
To finalize the configuration, you must create security rules to allow an unauthenticated user to access the captive portal.
Go to Fortigate administration page > Policy & Objects > Firewall Policy and create the below rules in the same order:
6.1 DNS Rule
- Name: DNS
- Incoming interface: your SSID
- Source: your SSID address
- Destination: all (You can define/allow only some DNS servers rather than all)
- Service: DNS
- NAT: Optional, depending on your configuration.
6.2 Walled Garden Rule
- Name: Walled Garden
- Incoming interface: your SSID
- Source: your SSID address
- Destination: FQDN_CloudiFi: login.cloudi-fi.net, login-cn.cloudi-fi.net, guest-api-v1.cloudi-fi.net, cdn.cloudi-fi.net
- Service: HTTP, HTTPS
- NAT: Optional, depending on your configuration.
6.3 Allow-Guest Rule
- Name: Allow-Guest
- Incoming interface: your SSID
- Source: your SSID address
- Destination: all
- Service: ALL
- NAT: Optional, depending on your configuration.
- Once these rules are created, right-click on each, select "Edit in CLI," and copy/paste this command to bypass the captive portal authentication for the above rules.
set captive-portal-exempt enable
end
Eventually, the rules should look like the following:
Summary of the rules:
ID |
Name |
Source |
Destination |
Service |
NAT |
Action |
Exempt from the captive portal |
1 |
DNS |
Guest interface |
DNS Servers |
DNS |
Depends on your configuration |
Accept |
Yes |
2 |
Walled Garden |
Guest interface |
FQDN_CloudiFi |
HTTPS |
Depends on your configuration |
Accept |
Yes |
3 |
Allow-Guest |
Guest interface |
Outside interface |
ALL |
Depends on your configuration |
Accept |
No |
4 |
Guest-Deny-All (Optional*) |
Guest interface |
RFC1918: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 |
ALL |
Depends on your configuration |
Deny |
No |
(*) the explicit deny rule is optional if your FortiGate Implicit Rule is already configured to Deny all the traffic.
Troubleshooting:
Check Cloudi-Fi's first-level troubleshooting guide
Test Radius server
Before testing user credentials, please ensure that the Radius Server is already configured and there are no connectivity issues between the FortiGate and Radius Server.
- To check the Radius server user credentials, go to User & Authentication -> RADIUS servers
- Edit the configured Radius Server and click the “Test User Credentials” button.
Certifications issues
When connected to the Guest SSID, a certificate error page is displayed on your screen. TLS/SSL certificates secure internet connections by encrypting your data. They ensure data is transmitted privately, without modification, loss, or theft. Adding a certificate to your network environment will ensure a safer internet experience for your users.
Please follow this article: FortiGate - Enable HTTPS Redirection to avoid web-browser warning.
If you still face issues, we invite you to contact the Cloudi-Fi support team.
What's next?
Congratulations on enabling the captive portal with Fortigate Firewall! You can visit our partner page if you need more information about our solutions integrated with Fortinet SD-WAN.