Set up a Radius-based captive portal with FortiGate and Cloudi-Fi for user authentication 

Use case

This guide provides step-by-step instructions for integrating Cloudi-Fi captive portal with FortiGate Network. This setup enables Radius-based user authentication, ensuring a secure and seamless network access experience. 

Cloudi-Fi captive portal SSID and Radius configuration diagram

Please note that as an alternative, you can configure Cloudi-Fi with IPSEC/GRE tunnels as described in WAN deployment KB.

Prerequisites

Before starting, ensure you have the following prerequisites:

• Access to Cloudi-Fi's admin console
• Cloudi-Fi Radius IPs and Secret  
• Access to the FortiGate
• Knowledge of your network’s IP addressing scheme

Validated with FortiOS 6.2.5 build 1142 & v7.4.1 build 2463

1. Get Cloudi-Fi captive portal URL

To create a new location in the Cloudi-fi Admin interface if it doesn't already exist, follow these instructions:

Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:

• Location Name
• Type (Redirect URL)
• Portal template
• Country 

Location URL: this URL will be used to configure an External Captive Portal

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spsomething.com

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spforti.com

2. Get Radius information

You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.

1. IPs address of the Radius servers
2. Ports: UDP 1812 (Authentication) & 1813 (Accounting)
3. The Secret (provided by Cloudi-Fi Support)

You can get the Secret by asking Chatbot in the Cloudi-Fi Admin Console. Cloudi-Fi’s Support team will provide you with the necessary information.

3. Create the Cloudi-Fi Radius server

Go to Fortigate administration page > User & Authentication > RADIUS Servers > Create New

• Name: Cloudi-Fi_Radius_Srv
• Authentication Method: Default
• IP/Name: Click here to obtain the IP
• Secret: Provided by the Cloudi-Fi Support team
• Click on the “OK"

Then go to Fortigate administration page > User & Authentication > User Groups > Create New

• Name: Cloudi-Fi_Radius_group
• Type: Firewall
• Remote Groups: Add Cloudi-Fi_Radius_Srv

A User Group is created to map the RADIUS server as a source of authenticated users. User groups act as a bridge between the authentication mechanism and the firewall rules. By linking the RADIUS server to a user group, you can define what authenticated users are allowed to do post-authentication.

4. FortiGate Captive Portal configuration settings

Note: Captive Portal can be enabled in two ways, depending on your infrastructure.

1. In the FortiGate WiFi controller, if you have FortiAP (FortiGate WiFi Access Points)
2. In a FortiGate interface (physical or VLAN interface), if you have other WiFi vendors or want to enable a captive portal for wired users.

4.1. Enable the Captive portal in FortiGate WiFi controller

If you have FortiAP and want to enable Cloudi-Fi in the Fortinet WiFi controller.

Go to WiFi & Switch Controller > SSIDs > Create New :

1. Provide a name and the mode (tunnel) and fill in the network information
2. WiFi settings: Fill in network information

Activate the DHCP server and check "PING"

1. SSID: Provide the name of the SSID
2. Security mode: Open
3. Captive Portal: Tuen the toggle on
4. Portal type: Authentication
5. Authentication portal: External with the URL copied from the Cloudi-Fi administration console (section number 1 of this guide)
6. User Groups: Cloudi-Fi_Radius_Group
7. Redirect after Captive Portal: Specific URL: https://login.cloudi-fi.net/success.php
8. Exempt destinations/services:

login.cloudi-fi.net
login-cn.cloudi-fi.net
guest-api-v1.cloudi-fi.net
cdn.cloudi-fi.net
*.cloudi-fi.net
DNS (service)

4.2. Enable Captive Portal in FortiGate interface (for wired and other WiFi vendors)

If you want to enable the captive portal for your wireless and/or wired users and don't have FortiAP.

Note: because the captive portal feature is enabled for all the traffic of a specific interface, we recommend having a dedicated interface (physical or VLAN) for the Guest network.

Then go to the Network Section of the interface and enable Security Mode :

1. Security Mode: Captive Portal
2. Authentication Portal: External
3. URL:https://login.cloudi-fi.net/start/ch/*********/lh/*********/sp/spforti.com

User Access: Restricted to Groups: Cloudi-Fi_Radius_group

• Exempt destinations/services:

login.cloudi-fi.net
login-cn.cloudi-fi.net
guest-api-v1.cloudi-fi.net
cdn.cloudi-fi.net
*.cloudi-fi.net
DNS (service)

• Redirect after captive portal: https://login.cloudi-fi.net/success.php

5. Enable HTTP Auth-type

When enabling user authentication within a security policy such as a captive portal, users must first connect with a supported protocol to be redirected to the captive portal. As captive portal detection is based on HTTP, you must enable HTTP and HTTPS Auth-Type. Otherwise, the captive portal is not automatically displayed.

Go to Fortigate administration page > User & Authentication > Authentication Settings

• Protocol Support: Check HTTP and HTTPS

Click “Apply"

Note: you can also "enable HTTP and HTTPS Auth-Type" in CLI 

config user setting
set auth-timeout 5
set auth-type http https
end

• It is recommended that in the same Authentication Settings page you will install a custom SSL Certificate on your FortiGate firewall following this guide in order to avoid HTTPS warnings.
  
  

6. Configure the security policy

To finalize the configuration, you must create security rules to allow an unauthenticated user to access the captive portal.

Go to Fortigate administration page > Policy & Objects > Firewall Policy and create the below rules in the same order:

6.1 DNS Rule

1. Name: DNS
2. Incoming interface: your SSID
3. Source: your SSID address
4. Destination: all (You can define/allow only some DNS servers rather than all)
5. Service: DNS
6. NAT: Optional, depending on your configuration.

Once the DNS rule is created, right-click on the rule, select "Edit in CLI," and execute this command to bypass the captive portal authentication for this rule.

set captive-portal-exempt enable
end

6.2 Allow-Guest Rule

1. Name: Allow-Guest
2. Incoming interface: your SSID
3. Source: your SSID address
4. Destination: all
5. Service: HTTP, HTTPS
6. NAT: Optional, depending on your configuration.

Table summary of the rules:

(*) the explicit deny rule is optional if your FortiGate Implicit Rule is already configured to Deny all the traffic.

Troubleshooting:

Check Cloudi-Fi's first-level troubleshooting guide

Test Radius server

Before testing user credentials, please ensure that the Radius Server is already configured and there are no connectivity issues between the FortiGate and Radius Server.

• To check the Radius server user credentials, go to User & Authentication -> RADIUS servers
• Edit the configured Radius Server and click the “Test User Credentials” button.

Certifications issues

When connected to the Guest SSID, a certificate error page is displayed on your screen. TLS/SSL certificates secure internet connections by encrypting your data. They ensure data is transmitted privately, without modification, loss, or theft. Adding a certificate to your network environment will ensure a safer internet experience for your users.

Please follow this article: FortiGate - Enable HTTPS Redirection to avoid web-browser warning.

If you still face issues, we invite you to contact the Cloudi-Fi support team.

What's next?

Congratulations on enabling the captive portal with Fortigate Firewall!  You can visit our partner page if you need more information about our solutions integrated with Fortinet SD-WAN.