Configuring WiFi captive portal security – FortiGate captive portal

Configuring WiFi captive portal security – FortiGate captive portal

The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

To configure a WiFi Captive Portal – web-based manager:

  1. Go to WiFi & Switch Controller > SSID and create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

  1. In Security Mode, select Captive Portal.
  2. Enter
Portal Type The portal can provide authentication and/or disclaimer, or perform user email address collection. See Defining a wireless network interface (SSID) on page 45.
Authentication Portal Local
User Groups Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.
Exempt List Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal Messages Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide.
  1. Select OK.

Configuring WiFi captive portal security – external server

An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data magic=session_id&username=<username>&password=<password>.

(The magic value was provided in the initial FortiGate request to the web server.)

To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

config user setting set auth-secure-http enable

end

To configure use of an external WiFi Captive Portal – web-based manager:

  1. Go to WiFi & Switch Controller > SSIDand create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

  1. In Security Mode, select Captive Portal.
  2. Enter
Portal Type The portal can provide authentication and/or disclaimer, or perform user email address collection.
Authentication Portal External – enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.
User Groups Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.
Exempt List Select exempt lists whose members will not be subject to captive portal authentication.
Redirect after Captive Portal Original Request

Specific URL – enter URL

 

SSID Groups

  1. Select OK.
This entry was posted in Administration Guides, FortiAP on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.