FortiWLC – Fortinet Captive Portal

Optionally Customize and Use Your Own HTML Pages

If you want to create custom Captive Portal login and success pages with your own logos and credentials, complete the directions in this section. You do not need to do this if you plan to use all of the default Captive Portal pages provided by Fortinet Networks (see login example in Figure 57 on page 282). If you do want to create custom HTML pages, you can create up to four sets of Captive Portal custom login pages; these are referred to as Captive Portal 1 through 4. Each set has 6 files, but you can only create customized pages for the main login page and the authentication successful page. The remaining four HTML pages are always the default pages. If you create multiple custom files, they must both use the same authentication

(RADIUS or Local) with up to 300 local users (the users can be different for each custom portal).

All Custom Portal pages (HTML, CSS, JS, and graphics) for the default pages and up to four sets of Custom Portal 2 pages that you create are all located in the same folder. This makes it imperative that you use unique names for all custom files. It also means that you can share a file such as a CSS file used for both CP1 and CP2 custom pages. This is also how and why any pages that you do not customize will use default HTML files. Here are the locations for the custom web portal files:

/opt/meru/etc/ws/html.vpn.custom

/opt/meru/etc/ws/Styles.vpn.custom

/opt/meru/etc/ws/Images.vpn.custom

 

Create Custom Pages

The easiest way to create your own set of custom pages is to download Fortinet default files and use the two customizable ones (Login page and Success page) as templates, giving the two altered HTML pages new names. To do this, follow these steps:

  1. Get the template files. Click Maintenance > Captive Portal > Customization > Get Files. A zip file called zip.tar.gz is downloaded to your computer. When the zip.tar.gz file is unzipped, you see the folder html.vpn that contains these six default files: Login page can be customized (default filename is loginformWebAuth.html)
    • Successful login page can be customized (default filename is auth_web_ok.html)
    • Your login failed – try again page (default filename is loginformWebAuthRetry.html)
    • Web authentication succeeded; do you want to log off? (default filename is logoff User.html)
    • You are now logged off page (default filename is loggedoff.html)
    • Your logoff failed – try again page (default filename is logoffUserFailed.html)
  2. You can only create two custom files per Captive Portal interface: a replacement for the Login page loginformWebAuth.html and a replacement for the Successful Login page auth_web_ok.html. Locate the two customizable HTML files on your computer and use them as templates to create your own custom HTML files. Use a program such as Notepad, make your changes, and then save the files with unique names.
    • CSS, JavaScript, and HTML are supported.
    • You can upload graphics up to 50K each in the formats .html .gif, .jpg, .png, .bmp .css,

.js.

To replace the first Fortinet logo graphic, look for the line that reads: src=”Images.vpn/img_merulogo.gif” width=133 border=0></A></TD>

Change the text “Images.vpn/img_merulogo.gif” to “Images.vpn.custom/your_image.gif” (Note that you are specifying a new directory for the .gif file, which is Images.vpn.custom).

To replace the second graphic (the mountain), look for the line that reads: src=”Images.vpn/img_aboutmeru.jpg” width=326 border=0></TD></TR>

Change the text “Images.vpn/img_aboutmeru.jpg” to “Images.vpn.custom/your_image2.gif” (Note that you are specifying a new directory for the .gif file, which is Images.vpn.custom).

Possible edits include changing logos, text, and formatting. The only lines that cannot be altered are the login communication process between the controller and the RADIUS server in the file loginformWebAuth.html.

  1. Import all new Captive Portal files (HTML, CSS, JS, and graphics) to the controller one by one. Click Maintenance > Captive Portal > Import File > enter the location/file in the text box > Import File. Be sure that the files have unique names; they will all be placed in the same directory.

Tell the controller to use custom pages. Click Configuration > Captive Portal and select the radio button Customization.

The custom HTML, CSS, JS, and graphic files are now on the controller.

  1. If you want to remove the word Fortinet or make any other changes in the four remaining files loginformWebAuthRetry.html, logoff User.html, loggedoff.html, or logoffUserFailed.html, alter the default files that you downloaded in Step 1 and import them as you did in Step 3. All five sets of Portal pages (default, CP1, CP2, CP3, and CP4) will then use the default files that you altered. These four files have only one version. See Figure 59.

Figure 59: Captive Portal HTML Pages (maximum)

Next, tell FortiWLC (SD) which custom files to use under what circumstances. Either Implement New Custom HTML Files Using the CLI or Implement New Custom HTML Files Using the GUI.

Implement New Custom HTML Files Using the CLI

Implement custom Captive Portal pages with the CLI by indicating which subset of users should see the new login and success pages; when a user logs in from this subnet, they will see the corresponding custom pages. You can implement up to two sets of Captive Portal pages at a time. For example, students in a library might see the Custom Captive Portal 1 login and success pages while visitors to the football stadium see the Custom Captive Portal 2 login and success pages. See Figure 59.

Determine who will see which pages. Point to two custom Captive Portal pages with the CLI command web custom CaptivePortal[1|2] landing-file-name <landing.html> success-file-name <success.html>. Then, point to the network or subnet for the custom captive portal pages with web custom CaptivePortal[1|2] subnet <x.x.x.x> mask <x.x.x.x>. For example:

MC3K‐1# configure terminal MC3K‐1(config)# web custom ?

CaptivePortal1         Custom configuration for captive portal 1

CaptivePortal2         (10) Custom configurations for captive portal2.

CaptivePortal3         (10) Custom configurations for captive portal3.

CaptivePortal4         (10) Custom configurations for captive portal4.MC3K‐

1(config)# web custom captiveportal2 ? landing‐file‐name subnet

MC3K‐1(config)# web custom CaptivePortal1 landing‐file‐name landing.html success‐file‐name success.html

MC3K‐1 (config) web custom CaptivePortal1 subnet 1.1.1.0 mask 255.255.255.0

MC3K‐1(config)# exit

MC3K‐1# show web ?

custom                 Displays IP range for captive portal custom mode. custom‐area            Lists the files in the custom area for web‐auth and captive portal.

login‐page             Displays the type of login page used for web‐auth and captive portal.

MC3K‐1# show web custom‐area

Html Files total 16

‐rw‐rw‐rw‐    1 root     root         2607 Jul 13 16:26 page2OK.html

‐rw‐rw‐rw‐    1 root     root         4412 Jul 13 16:26 page2LOGIN.html

‐rwx‐‐‐‐‐‐    1 root     root         2607 Jul 13 16:04 auth_web_ok.html

‐rw‐rw‐rw‐    1 root     root         4412 Jul 13 16:04 loginformWebAuth.html

‐rwx‐‐‐‐‐‐    1 root     root            0 Jun 30 00:31 empty.html

Image Files total 9

‐rwx‐‐‐‐‐‐    1 root     root            0 Jun 30 00:31 empty.gif

‐rw‐rw‐rw‐    1 root     root         8574 Oct 29  2008 Sample.jpg

MC3K‐1# show web login‐page custom

Implement New Custom HTML Files Using the GUI

Implement custom Captive Portal pages with Web UI by first directing Captive Portal to use custom HTML files; those HTML files will then reference the CSS, JS and graphic files you imported. Second, indicate which subset of users should see the new login and success pages by providing a subnet and a mask; when a user logs in from this subnet, they will see the corresponding custom pages. For example, students in a library might see the Custom Captive Portal 1 login page while visitors to the football stadium see the Custom Captive Portal 2 login page.

Direct Captive Portal to use custom HTML files by following these steps:

  1. Click Maintenance > Customization > select a controller > Change Mode 2. Scroll down and select Customized.

indicate which subset of users should see the custom pages by following these steps:

  1. Make sure that security logging is set to on by clicking Configuration > Security > Profile and then selecting a security profile from the list. The security logging setting is near the bottom of the Security Profile Table. This setting must be set to on for Captive Portal configuration to work.
  2. Click Maintenance > Captive Portal > Custom CP. The Custom Captive Portal page is displayed.

Figure 60: Custom Captive Portal Page

  1. Provide the names of the new HTML Login Page and Success Page for CP1. Since they are on the controller now, you do not have to indicate a location. Click Save Page Info.
  2. Provide at least one subnet location by clicking Add, providing a Subnet IP and a Network Mask, then clicking OK. Users logging in from this subnet will see these custom pages.
  3. Create a corresponding Security Profile for this portal by clicking Configuration > Security > Profile > Add. Be sure that the setting for Captive Portal is set to webauth in this profile, then save it.
  4. Click Configuration > Security > Captive Portal. In this window, identify the RADIUS server, whether or not to adjust the session, and idle timeouts. Session timeout and idle timeout are indicated in minutes.

The L3 User Session Timeout field is used for specific clients that have issues in which they get deauthenticated upon entering sleep mode. This field specifies that the controller will retain these clients in memory for the specified number of minutes before the client is dropped from the captive portal authentication state.

  1. Click OK.

The custom HTML files are now configured. You can configure up to four sets of custom files, Captive Portal 1, Captive Portal 2, Captive Portal 3, and Captive Portal 4; or, you can use the default files. See Figure 59.

Configure Captive Portal with the CLI
  • radius-profile defines the primary and secondary Captive Portal authentication servers.
  • accounting-radius-profile defines the primary and secondary Captive Portal accounting servers.
  • captive-portal > activity-timeout determines one timeout value. If a client is idle for this many minutes, the client is asked to reauthenticate. captive-portal > session-timeout determines one timeout value. If a client session lasts this long (minutes), the client is asked to reauthenticate.
  • change_mac_state
  • ssl-server captive-portal-external-URL directs Captive Portal to use a third-party solution located at the named URL.
  • captive-portal-auth-method sets authentication to internal (default for Fortinet) or external for third-party solutions.
Captive Portal CLI Examples

This example configures Captive Portal with the CLI by completing these tasks:

  • Create a guest user ID (Guest) and password.
  • Enter the service start time (01/01/2010 00:00:00).
  • Enter the service end time (01/01/2011 00:00:00).
  • Show the Captive Portal.

MC3K‐1(config)# guest‐user ?

<guestname> Enter the name of the guest user.

MC3K‐1(config)# guest‐user Guest ?

<password> Enter the password of the guest user.

MC3K‐1(config)# guest‐user Guest XXXXX ?

<start‐time> Enter the service start‐time (mm/dd/yyyy hh:mm:ss) in double quotes.

MC3K‐1(config)# guest‐user Guest XXXXX “01/01/2010 00:00:00” ?

<end‐time> Enter service end‐time (mm/dd/yyyy hh:mm:ss) in double quotes. MC3K‐1(config)# guest‐user Guest XXXXX “01/01/2010 00:00:00” “01/01/2011 00:00:00” ?

<CR>

MC3K‐1(config)# guest‐user Guest XXXXX “01/01/2010 00:00:00” “01/01/2011

00:00:00″

MC3K‐1(config)# exit

MC3K‐1#

MC3K‐1# show guest‐user

Guest User  Name Service Start Time              Service End Time               

Guest 01/01/2010 00:00:00             01/01/2011 00:00:00            

        Guest User Table(1 entry)

The commands in this section show how to configure Captive Portal. The RADIUS server user configuration is performed separately, and is vendor-specific. (Check the Customer Service website for applicable Application Notes.) The Microsoft Internet Explorer and Netscape 7 browsers are both supported for the client application.

  1. Create the Security Profile for the WebAuth Captive Portal:

default# configure terminal default(config)# security-profile web_auth default(config‐security)# captive‐portal webauth default(config‐security)# exit default(config)# exit

  1. Bind the web_auth Security Profile to an ESSID:

default# configure terminal default(config)# essid WebAuth-meru-WIFI default(config‐essid)# security-profile web_auth default(config‐essid)# exit

  1. Set the SSL server to use the primary RADIUS authentication server profile:

default(config)# ssl-server radius-profile primary main-auth default(config)# end

  1. Save the configuration:

default(config)# copy running‐config startup‐config

When users are authenticated, they can be moved into a corporate VLAN, and can have QosRules applied to their session. Each user will have a supplied default session timeout, which if nothing is supplied, will be the default of 33 minutes. If a user disconnects and connects back to same SSID on the same controller within 60 seconds, no re-authentication will be required.The session time returned from the RADIUS server takes priority. If the RADIUS server doesn’t return the session time, configured values are used.

Create Captive Portal Guest User IDs Locally

For authentication purposes, you can set up guest user IDs instead of using RADIUS authentication. (This is also a backup for RADIUS authentication; if RADIUS fails, this list is then used.) Releases 3.6 and later support user IDs. Be sure that the field Captive Portal Authentication is set as Local when using Guest IDs (click Configuration > Security > Captive Portal).

The guest user features of both releases are as follows.

Guest User Feature Supported
Number of users 300
Add/delete users yes
Change user’s password yes
Time of day login yes
Day of month login yes
Assigned to local administrators yes
CLI Example – Create Guest User ID

This CLI example creates the guest user named Guest:

MC3K‐1 configure terminal

MC3K‐1(config)# guest‐user ?

<guestname>            Enter the name of the guest user.

MC3K‐1(config)# guest‐user Guest ?

<password>             Enter the password of the guest user.

MC3K‐1(config)# guest‐user Guest XXXXX ?

<start‐time>           Enter the service start‐time (mm/dd/yyyy hh:mm:ss) in double quotes.

MC3K‐1(config)# guest‐user Guest XXXXX “01/01/2010 00:00:00” ?

<end‐time>             Enter service end‐time (mm/dd/yyyy hh:mm:ss) in double quotes.

MC3K‐1(config)# guest‐user Guest XXXXX “01/01/2010 00:00:00” “01/01/2011 00:00:00” ?

<CR>

MC3K‐1(config)# guest‐user Guest XXXXX “01/01/2010 00:00:00” “01/01/2011

00:00:00″

MC3K‐1(config)# exit

MC3K‐1#

MC3K‐1# show guest‐user

Guest User Name Service Start TimeService End Time         

Guest 01/01/2010 00:00:00 01/01/2011 00:00:00            

        Guest User Table(1 entry) MC3K‐1#

There is an additional option for Local Authentication so that when local authentication for a

Captive Portal user fails, RADIUS authentication is automatically checked; this option is called Local and RADIUS. From the Web UI, configure this by clicking Configuration > Security > Captive Portal.

Figure 61: Local Captive Portal Authentication Has Two Options

The corresponding CLI command ssl-server captive-portal authentication-type configures the controller to use both local and RADIUS authentication.

Controller(config)# ssl‐server captive‐portal authentication‐type ? local                  Set Authentication Type to local. local‐radius           Set Authentication Type to Local and RADIUS. radius                 Set Authentication Type to RADIUS.

Optionally Configure Pre-Authentication Captive Portal Bypass

Not all users or traffic types need to be authorized and authenticated by Captive Portal; users of VPN software can pass through the portal without authentication. To enable this passthrough firewall filter ID, follow these steps:

  1. Click Configuration > Security > Profile.
  2. Enter the name of the Passthrough Firewall Filter ID.
  3. Click Configuration > QoS > System Settings to see the QosRule section of the Configuration menu (a license for PPF is required to enter the passthrough rules).
  4. Add a rule. Remember that rules are stored in the order they are entered and can not be modified once they are entered.
  5. At the bottom of the screen enter the QoS Filter ID.

The last entry in the filter should be a rule that drops all other traffic, so that traffic other than the passthrough will not be allowed to transverse the Captive Portal without authentication.

Bypass Apple Captive Network Assistant (CNA)

You can bypass or disable the CNA. When enabled, the auto-login pop-up is not displayed in a captive portal authentication (in tunneled mode) using an Apple device or Android devices running Android 5.0 or later.

Using GUI

To enable CNA bypass, Go to Configuration > Captive Portal > Advanced Settings section and select ON for Bypass Apple CNA.

Using CLI

Use the cna‐bypass option in the ssl‐server command to enable or disable CNA bypass.

mc3200(15)# configure terminal master(15)(config)# ssl‐server cna‐bypass on master(15)(config)# exit master(15)# sh ssl‐server

Captive Portal

Name                                         : Captive Portal

 

Server Port                                  : 10101

User Authentication Protocol                 : None

Server Lifetime                              : 100

Server IP                                    : 172.18.34.177

Certificate                                  :

Authentication Type                          : radius

Primary Profile                              :

Secondary Profile                            :

Primary Profile                              :

Secondary Profile                            :

Accounting Interim Interval (seconds)        : 60

CaptivePortalSessionTimeout                  : 0

CaptivePortalActivityTimeout                 : 0 Protocol                                     : https

Portal URL                                   : CaptivePortal External URL                   :

CaptivePortal External IP                    : 172.18.34.177

L3 User Session Timeout(mins)                : 1

Apple Captive Network Assistant (CNA) Bypass : on

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “FortiWLC – Fortinet Captive Portal

  1. Sam

    Hello,
    I’m struggling with the following setup:
    My APs and controller are in the same vlanX, so they connect automatically.
    I have an internet connection that I would like guests to use (completely seperate from any corporate resources) lets say vlanY.
    I want to set up a Guest SSID, that makes use of a Captive Portal, and than puts users in vlanY (tunneled or bridged) directly connecting to the internet.
    I don’t seem to get the (local auth) captive portal however….

    Any suggestions?
    Thanks!

    Reply
    1. Mike Post author

      Sam,

      Will need some more information about how your network is laid out. For instance, firewalls, switches, and how your traffic flows. The location of the captive portal and more. Also, have you done any debugging to watch how the process is currently taking place?

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.