FortiGate configuration
In order to allow redirection to an external captive portal and also allow the supply of identifying information about the requesting IP, some FortiGate configuration is required. The example below is configured using the CLI, with the following attributes: l WAN 1 = Internet l FAC IP = 192.168.0.122 l Wireless users connecting to “Fortinet” SSID are on the network 10.10.x.x. Additional non-standard commands to enable the feature are provided in red.
Configuring RADIUS
config user radius edit “FAC_4.0” set server “192.168.0.122” set secret ENC
PGTVcRMZH5mFV2aWl1A1Kbqsr3ZAKcZuEdK5Jsx+2h87uBjyWR1wuU2MY07k4H46ZHuLwBKAky9Zyn0R qHEPB3Cku232hFpkOOLlI2gzPnQbPeVcfhC18sxSWvk/fpgDhUTwPoGnYofl9vLrwpPzbkzvJhaXXcgs fSTuQ5wxK/5YghiLbdq04nnnTzQd8N8QjsUE5w==
next
end
Configuring the Group
config user group edit “Wireless_Auth” set member “FAC_4.0”
next
end
Configuring VAP
Configure captive portal security with an external Portal rather than the native on-FGT portal.
config wireless-controller vap edit “fortinet” set vdom “root” set security captive-portal set selected-usergroups “Wireless_Auth” set intra-vap-privacy enable set local-switching disable
set external-web “http://192.168.0.122/caplogin next
end
Configuring the FAC Address (Group)
Configure the ForiAuthenticator address or group to use as an exemption rule in the firewall policy. This is to allow traffic to flow to the FAC portal to enable authentication when the user is not yet authenticated. This group may also include any servers used to host images referenced on the FAC portal.
config firewall address edit “FortiAuthenticator” set type iprange
set associated-interface “internal” set start-ip 192.168.0.122 set end-ip 192.168.0.123
next
end
Configuring the Firewall Policy
In these firewall policies, an exemption is made to allow access to the FortiAuthenticator (rule 21) and to external
Internet resources (rule 17, “For_SocialWiFi”), which may include content embedded on the portal login page (images, videos, organization website), or may be used in the future to enable exemption for Social Wifi (Google, Facebook, LinkedIn, Twitter).
config firewall policy edit 21 set srcintf “fortinet” set dstintf “internal” set srcaddr “all”
set dstaddr “FortiAuthenticator” set action accept set schedule “always” set service “ALL”
set captive-portal-exempt enable
next :
:
:
edit 17 set uuid 6d71b2b4-4efd-51e4-a21f-272dd0bcdcd9 set srcintf “fortinet” set dstintf “wan1” set srcaddr “all” set dstaddr “For_SocialWiFi” set action accept set schedule “always” set service “ALL” set captive-portal-exempt enable
set nat enable
next end
Remote authentication servers
Remote authentication servers
If you already have LDAP or RADIUS servers configured on your network, FortiAuthenticator can connect to them for remote authentication, much like FortiOS remote authentication.
LDAP
If you have existing LDAP servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote LDAP servers.
To add a remote LDAP server entry:
- Go to Authentication > Remote Auth. Servers > LDAP and select Create New. The Create New LDAP Server window opens.
- Enter the following information.
Remote authentication servers
Name | Enter the name for the remote LDAP server on FortiAuthenticator. |
Primary server name/IP | Enter the IP address or FQDN for this remote server. |
Port | Enter the port number. |
Use secondary server | Select to use a secondary server. The secondary server name/IP and port must be entered. |
Secondary server name/IP | Enter the IP address or FQDN for the secondary remote server. This option is only available when Use secondary server is selected. |
Secondary port | Enter the port number for the secondary server.This option is only available when Use secondary server is selected. |
Base distinguished name | Enter the base distinguished name for the server using the correct X.500 or LDAP format. The maximum length of the DN is 512 characters. You can also select the browse button to view and select the DN on the LDAP server. |
Bind Type | The Bind Type determines how the authentication information is sent to the server. Select the bind type required by the remote LDAP server.
l Simple: bind using the user’s password which is sent to the server in plaintext without a search. l Regular: bind using the user’s DN and password and then search. If the user records fall under one directory, you can use Simple bind type. But Regular is required to allow a search for a user across multiple domains. |
User object class | The type of object class to search for a user name search. The default is person. |
Username attribute | The LDAP attribute that contains the user name. The default is sAMAccountName. |
Group membership
attribute |
Used as the attribute to search for membership of users or groups in other groups. |
- If you want to have a secure connection between the FortiAuthenticator unit and the remote LDAP server, under Secure Connection, select Enable, then enter the following:
Protocol | Select LDAPS or STARTLS as the LDAP server requires. |
CA Certificate | Select the CA certificate that verifies the server certificate from the dropdown list. |
- If you want to authenticate users using MSCHAP2 PEAP in an Active Directory environment, enable Windows
Active Directory Domain Authentication, then enter the required Windows AD Domain Controller information.
Kerberos realm name | Enter the domain’s DNS name in uppercase letters. |
Remote authentication servers
Domain NetBIOS name | Enter the domain’s DNS prefix in uppercase letters. |
FortiAuthentication
NetBIOS name |
Enter the NetBIOS name that will identify the FortiAuthenticator unit as a domain member. |
Administrator username | Enter the name of the user account that will be used to associate the FortiAuthenticator unit with the domain. This user must have at least Domain User privileges. |
Administrator password | Enter the administrator account’s password. |
When you are finished here, go to Authentication > RADIUS Service > Clients to choose whether authentication is available for all Windows AD users or only for Windows AD users who belong to particular user groups that you select. See RADIUS service on page 91 for more information.
- Select OK to apply your changes.
You can now add remote LDAP users, as described in Remote users on page 65.
I am trying to get uses to be able to do a password change when they VPN into the network after their password expire’s.
One issue i am running into is on the Authenticaticator under monitor the status of the Connection only says “Joined AD” and “not connected” do you know why ?
I am experiencing the same problem