Captive portal
The following section describes how you can use FortiAuthenticator to grant remote users access to certain portions of the network using delegated authentication through a captive portal. Authentication requires the user to associate their device with the guest SSID as published by the FortiGate wireless controller.
The FortiGate facilitates access control by redirecting the user’s web browser to one of the FortiAuthenticator’s captive portals. As such, some FortiGate configuration is required.
The following captive portal authentication options are available:
l Credentials authentication l Social WiFi authentication l MAC address authentication
To enable each captive portal:
Captive portal access is enabled on a per-FortiGate basis through the RADIUS client configuration at Authentication > RADIUS Service > Clients > Enable captive portal.
Options are available to enable each captive portal individually:
To configure each captive portal:
General captive portal configuration is available under Authentication > Captive Portal > General.
Credentials authentication
The credentials portal requires known users (users who already have an account) to authenticate using their credentials (password and/or token code). The goal is to restrict access to a set of pre-authorized users only.
For the Credentials portal, the administrator must indicate which of the profiles to use for user authentication. For environments where there is one FortiWifi with multiple access points (AP), the administrator can specify a list of IP addresses for all the APs.
When the user is redirected to the Credentials portal login page, they must enter their username and password, and (optionally) their FortiToken passcode. Upon successful login, the user is redirected to the webpage originally requested.
Social WiFi authentication
Social Wifi authentication allows FortiAuthenticator to utilize third-party user identity methods (social sites, valid e-mail address, or phone number) to authenticate users into a wireless guest network.
The goal is to provide some traceability of users without requiring the heavy overhead of creating guest accounts.
Third-party authentication methods
Supported third-party authentication methods are described in the table below.
Each third-party method can be enabled or disabled on an individual basis under Authentication > Captive Portal > General.
Third-party method | Method description |
Google + | Log-in using Google+ is an option for Google users, utilizing the OAUTH2 protocol described here: https://console.developers.google.com/start.
Once logged in, the user can Add to Circles with the organization. |
Log-in via Facebook is known as “Facebook Connect” and is described here: https://developers.facebook.com/products/login.
Once logged in, the user can Like the organization’s Facebook page. |
|
Log-in via Linkedin is supported using the OAUTH2 protocol as described here: https://developer.linkedin.com/documents/authentication.
Once logged in, the user can Connect with the organization. |
|
Log-in via Twitter is supported as described here: https://dev.twitter.com.
Once logged in, the user can Follow the organization. |
|
Form-based authentication | Similar to the existing Self-registration page, it is possible to register by supplying user details. It is also possible to register using minimal (configurable) information, for example: e-mail or mobile-only. Such information is commonly gathered in short-term transient use locations such as airports and coffee shops. |
SMS-based authentication | In SMS-based authentication, the user is redirected to a registration portal which requests a valid mobile phone number. When the user enters their number, a passcode is sent to their mobile device. The user then enters this passcode at the authentication screen to successfully authenticate. |
Email-based authentication | Email-based authentication is similar to SMS-based authentication, except that the user enters their email address instead of their mobile phone number. A passcode is then sent to the user’s email address.
The user enters this passcode into the captive portal registration page. |
MAC address authentication
This feature is particularly useful in situations where only the identity of the user is important, for example:
l Wireless guest networks l Retail environments l Transient access (airports, hotels, etc.) The purpose is to identify and authenticate users with minimal interaction from the user, with some traceability of the users. This authentication method is less disruptive and therefore provides a better user experience.
With MAC address authentication enabled, the user attempts to open a web browser but is intercepted by the FortiGate wireless controller, and redirected to the FortiAuthenticator portal configured to record the user’s MAC address (without requiring any user interaction). The user is then redirected to the webpage originally requested.
Access Control
The Access Control page under Authentication > Captive Portal provides a consolidated view of which RADIUS client has access to which captive portal(s).
Replacement Messages
Custom login pages for authentication are configurable on a per device, location, or organization basis, allowing the administrator to customize content specific to a brand identity. See Captive Portal > Replacement Messages.
For example:
- Default Webpage Portal Login
You can change the default webpage portal login at Authentication > Captive Portal > Replacement Messages by simply editing the HTML for the Captive Portal Login Page item.
- Default Social Authentication Login Portal
You can change the default social authentication login page at Authentication > Captive Portal > Replacement Messages by simply editing the HTML for the Captive Portal Social Login Page item.
- Terms and Disclaimer Agreement page
For all portals, it is possible to require that the user agree to a Terms and Disclaimer Agreement before proceeding to the authentication method. You must enable this requirement for the desired portal under Captive Portal > General.
You can change the default disclaimer at Authentication > Captive Portal > Replacement Messages by simply editing the HTML for the Captive Portal Login DisclaimerPage item.
- FortiAuthenticator Splash Page
Following a successful login, the FortiGate may be configured to redirect to the FortiAuthenticator splash page. The splash page may contain tools that can improve the customer’s social media presence.
You can change the default splash page at Authentication > Captive Portal >
Replacement Messages by simply editing the HTML for the Captive Portal Splash Screen Page item.
To edit a replacement message:
- Select a message in the replacement message list.
- Edit the plain text or HTML code in the lower right pane, or select the open in new window icon to edit the message in a new browser window.
- When you are finished editing the message, select Save to save your changes.
- If you have made an error when editing the message, select Restore Default to restore the message to its default value.
Manage Images
Images can be managed by selecting Manage Images in the Replacement Messages window. Images can also be added, deleted, and edited.
To add an image:
- In the manage images screen, select Create New to open the Create New Image
- Enter a name for the image in the Name
- Select .., find the GIF, JPEG, or PNG image file that you are adding, and then select Open. The maximum image size is 65kB.
- Select OK to add the image.
To delete an image:
- In the manage images screen, select an image, then select Delete.
- Select Yes, I’m sure in the confirmation window to delete the image.
To edit an image:
In the manage images screen, select an image, then select Edit.
- In the Edit Image window, edit the image name and file as required.
- Select OK to apply your changes.
Account expiry
Account expiry can be configured for Social and MAC Address portals under Authentication > Captive Portal > General. Set the desired timeout next to Account expires after.
Account expiry is not available for the Credentials portal.
Captive portal communication workflow example (WiFi)
- The client associates their Wi-Fi device to the guest SSID as published by the FortiGate wireless controller.
- The client opens a browser. Based on the configured home page or requested webpage, the initial HTTP traffic is intercepted by the FortiGate wireless controller and redirected to the FortiAuthenticator web login page defined in the FortiGate captive portal profile.
- The client enters their user credentials on the FortiAuthenticator web login page.FortiAuthenticator performs any pre-authorizationn checks that are required and displays the login message to the guest user. If the client does not have credentials, there may (depending on configuration) be an option to purchase login time.
- The login message instructs the guest user’s browser to submit the user credentials directly to the FortiGate as HTTPS POST for authentication processing.
- When the FortiGate receives the client credentials in the HTTPS POST, it sends a RADIUS Access-Request to the FortiAuthenticator RADIUS server to authenticate the user.
- FortiAuthenticator validates the Access-Request message using its user database which can either be local or remote (LDAP/RADIUS).
- Based on the results of the authentication and authorization processing, FortiAuthenticator responds with either an Access-Accept or Access-Reject message. If the authentication is successful, the Access-Accept message contains one or more RADIUS attributes to define the context of the client session. These attributes can include, but are not limited to: the session duration, bandwidth, and access permissions. When the FortiGate receives the Access-Accept message, it changes the role of the client session allowing the device access to the network.
- Following a successful authentication and initiation of the user session, the client is redirected to the originally requested URL, which should now be accessible.
- Based on the Session-Timeout received in the original Access-Accept packet from FortiAuthenticator, the FortiGate counts down the remaining time that is valid for the current guest user session. When the time has expired, or if the user manually terminates the session, FortiGate terminates the session.
I am trying to get uses to be able to do a password change when they VPN into the network after their password expire’s.
One issue i am running into is on the Authenticaticator under monitor the status of the Connection only says “Joined AD” and “not connected” do you know why ?
I am experiencing the same problem