Skip to main content
sossie
sossie
New Member
May 28, 2020
Question

Fortigate captive portal with FortiAutenticator - howto?

  • May 28, 2020
  • 1 reply
  • 2901 views

Hi there,

 

We have a single fortigate with one interface operating as a wired captive portal for guest internet (this is not wifi). We use the guest admin (the receptionist) to provision accounts for guests.

 

It works well, but now we have introduced a 2nd Fortigate at a seperate site, and would like to have a single user across both sites.

 

We also have FortiAuthenticator. We are wondering if/how we can set the Guest Portal on the FortiAuthenticator, and configure the Fortigate to use an "External" captive portal.

 

I'm sure this is possible, bit all the cookbook documentation is either old, or for captive portal wifi only. Does anyone have a step by step to do this. We are running fortigate 6.2 and Fortiauthenticator 6.0

 

Can anyone help?

 

Thanks

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    June 1, 2020

    Hi,

    how about this way .. You need to invest a little bit of effort, but raw skeleton might look like this:

     

    step 1 - on FortiGate (FGT hereinafter) set FortiAuthenticator (FAC hereinafter) as external captive portal

    step 2 - on FAC decide how would you like to manage users.

    - are those going to get synced from Microsoft Active Directory ? .. tag "#Remote_user_sync_rules" - are those local or guests ? .. tag #Guest_users

    https://docs.fortinet.com/document/fortiauthenticator/6.0.4/administration-guide/704851/user-management#Guest_users

    step 3 - your FGT will be RADIUS Client to FAC and it needs to be set up

    https://docs.fortinet.com/document/fortiauthenticator/6.0.4/administration-guide/294825/radius-service#RADIUS_service

    step 4 - set Guest portal on FAC ...  https://docs.fortinet.com/document/fortiauthenticator/6.0.4/administration-guide/617902/guest-portals#Guest_portals

    step 5 - testing with known user

    on FAC - https://docs.fortinet.com/document/fortiauthenticator/6.0.4/administration-guide/673074/troubleshooting

    on FGT - https://kb.fortinet.com/kb/microsites/searchEntry.do search for troubleshooting

    - use packet captures to see RADIUS packets (default auth port 1812.udp)

    - flow debug to see which policies handled the stuff

    - diag debug app fnbamd 7

    - diag firewall auth list

    etc. etc.

     

     

    Terms & ConditionsAccessibility statement