Set up a Radius-based captive portal with FortiGate and Cloudi-Fi for user authentication
Table of contents
Step 1: Get Cloudi-Fi required URL
Step 2: Get Radius information
Step 3: Create the Cloudi-Fi Radius server
Step 4: FortiGate Captive Portal configuration settings
Step 6: Configure the Security Policy
Use case:
This guide provides step-by-step instructions for integrating Cloudi-Fi captive portal with FortiGate Network. This setup enables Radius-based user authentication, ensuring a secure and seamless network access experience.
Fortigate integration with Cloudi-Fi captive portal diagram
Cloudi-Fi captive portal SSID and Radius configuration diagram
Please note that as an alternative, you can configure Cloudi-Fi with IPSEC/GRE tunnels as described in WAN deployment KB.
Prerequisites:
Before starting, ensure you have the following prerequisites:
- Access to Cloudi-Fi's admin console
- Cloudi-Fi Radius IPs and Secret
- Access to the FortiGate
- Knowledge of your network’s IP addressing scheme
Validated with FortiOS 6.2.5 build 1142 & v7.4.1 build 2463
Step 1: Get Cloudi-Fi required URL
Location URL: this URL will be used to configure an External Captive Portal
- Access the Cloudi-Fi administration console
- Select the location
- Click on the menu button for the location
- Select "Copy Splash page URL"
Transform the URL as following:
Step 2: Get Radius information
You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.
- IPs address of the Radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
- The Secret (provided by Cloudi-Fi Support)
You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.
- What shared secret is used for the Radius server with Fortigate? (Please save this confidential information securely, and do not share it publicly.)
Step 3: Create the Cloudi-Fi Radius server
Go to Fortigate administration page > User & Authentication > RADIUS Servers > Create New
-
Name: Cloudi-Fi_Radius_Srv
-
Authentication Method: Default
-
IP/Name: Click here to obtain the IP
-
Secret: Provided by the Cloudi-Fi Support team
- Click on the “OK"
Then go to Fortigate administration page > User & Authentication > User Groups > Create New
-
Name: Cloudi-Fi_Radius_group
-
Type: Firewall
-
Remote Groups: Add Cloudi-Fi_Radius_Srv
- Click on the “OK"
Step 4: FortiGate Captive Portal configuration settings
Note: Captive Portal can be enabled in two ways, depending on your infrastructure.
- In the FortiGate WiFi controller, if you have FortiAP (FortiGate WiFi Access Points)
- In a FortiGate interface (physical or VLAN interface), if you have other WiFi vendors or want to enable a captive portal for wired users.
1. Enable the Captive portal in FortiGate WiFi controller
If you have FortiAP and want to enable Cloudi-Fi in the Fortinet WiFi controller.
Go to WiFi & Switch Controller SSID Create New :
- Provide a name and the mode (tunnel) and fill in the network information
- WiFi settings: Fill in network information
- Activate the DHCP server and check "PING"
- SSID: Provide the name of the SSID
- Security mode: Captive Portal
- Portail type: External Authentication
- URL: Copied from the Cloudi-Fi administration console
- User Groups: Cloudi-Fi_Radius_Group
- Redirect after Captive Portal: Specific URL: https://login.cloudi-fi.net/success.php
- Click on the “OK"
2. Enable Captive Portal in FortiGate interface (for wired and other WiFi vendors)
If you want to enable the captive portal for your wireless and/or wired users and don't have FortiAP.
Note: because the captive portal feature is enabled for all the traffic of a specific interface, we recommend having a dedicated interface (physical or VLAN) for the Guest network.
Then go to the Network Section of the interface and enable Security Mode :
- Security Mode: Captive Portal
- Authentication Portal: External
- URL:https://login.cloudi-fi.net/start/ch/*********/lh/*********/sp/spforti.com
- User Access: Restricted to Groups: Cloudi-Fi_Radius_group
- Exempt destinations: Create an FQDN Object for:
- login.cloudi-fi.net
- login-cn.cloudi-fi.net
- guest-api-v1.cloudi-fi.net
- cdn.cloudi-fi.net
- Redirect after captive portal: https://login.cloudi-fi.net/success.php
- Click on the “OK"
Step 5: Enable HTTP Auth-type
Users must first connect with a supported protocol to be redirected to the captive portal when enabling user authentication within a security policy such as a captive portal. As captive portal detection is based on HTTP, you must enable HTTP and HTTPS Auth-Type. Otherwise, the captive portal is not automatically displayed.
Go to Fortigate administration page > User & Device > Authentication Settings
- Protocol Support: Check HTTP and HTTPS
Click on the “OK"
Note: you can also "enable HTTP and HTTPS Auth-Type" in CLI
config user setting
set auth-timeout 5
set auth-type http https
end
Step 6: Configure the Security Policy
To finalize the configuration, you must create security rules to allow an unauthenticated user to access the captive portal.
Go to Fortigate administration page > Policy & Objects > IPv4 Policy and create the below rules in the same order:
- Rules for unauthenticated users: DNS, Walled Garden
- FQDN_CloudiFi: login.cloudi-fi.net, login-cn.cloudi-fi.net, guest-api-v1.cloudi-fi.net, cdn.cloudi-fi.net
-
Once these rules are created, right-click on each, select "Edit in CLI" and copy/paste this command to bypass the captive portal authentication for the above rules.
set captive-portal-exempt enable
end
- Rules for authenticated users: Allow-Guest, Guest-Deny-All
ID |
Name |
Source |
Destination |
Service |
NAT |
Action |
1 |
DNS |
Guest interface |
DNS Servers |
DNS |
TBD |
Accept |
2 |
Walled Garden |
Guest interface |
FQDN_CloudiFi |
HTTPS |
Yes |
Accept |
3 |
Allow-Guest |
Guest interface |
Outside interface |
ALL |
Yes |
Accept |
4 |
Guest-Deny-All (Optional*) |
Guest interface |
RFC1918: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 |
ALL |
No |
Deny |
(*) the explicit deny rule is optional if your FortiGate Implicit Rule is already configured to Deny all the traffic.
Troubleshooting:
Check Cloudi-Fi's first-level troubleshooting guide.
Test Radius server
Before testing user credentials, please ensure that the Radius Server is already configured and there are no connectivity issues between the FortiGate and Radius Server.
- To check the Radius server user credentials, go to User & Device -> Radius servers
- Edit the configured Radius Server and click the “Test User Credentials” button.
Certifications issues
When connected to the Guest SSID, a certificate error page is displayed on your screen. TLS/SSL certificates secure internet connections by encrypting your data. They ensure data is transmitted privately, without modification, loss, or theft. Adding a certificate to your network environment will ensure a safer internet experience for your users.
Please follow this article: FortiGate - Enable HTTPS Redirection to avoid web-browser warning.
If you still face issues, we invite you to contact the Cloudi-Fi support team.
What's Next?
Congratulations on enabling the captive portal with Fortigate Firewall! You can visit our partner page if you need more information about our solutions integrated with Fortinet SD-WAN.