Hi Guys,I having some issues understanding how to configure FortiNAC to authenticate and grant access to guest/contractor users connecting via a guest ssid created on fortiGate.This is what i have setup already:FortiNAC has FortiGate in the Network-->Inventory container (SNMP v3c and SSH v2 connections configured)FortiNAC running both local and proxying RADIUS to enterprise ServerFortiNAC connected to security FabricBridge mode SSID created in FortiGate using external authentication captive portal pointing to FortiNAC URLFortiNAC configured for Guest Self Registration (guests can also be created locally by admin/sponsors)I simply want guest users connecting to the SSID to be authenticated by FortiNAC and be granted access to the wireless network so they can browse the internet. I cant seem to find any configuration examples for this. I see documents speaking to creating Logical Networks etc. The term Model Configuration also comes up, but I dont see this tab for the FortiGate in the Network -> Inventory view. I'm been struggling with this for months. Please help.

New Member

Question

Need help setting up FortiNAC as External Captive Portal for Bridged Guest SSID created in FortiGate

Forum|Forum|3 years ago
March 14, 2023
6 replies
8135 views

Hi Guys,

I having some issues understanding how to configure FortiNAC to authenticate and grant access to guest/contractor users connecting via a guest ssid created on fortiGate.

This is what i have setup already:

FortiNAC has FortiGate in the Network-->Inventory container (SNMP v3c and SSH v2 connections configured)
FortiNAC running both local and proxying RADIUS to enterprise Server
FortiNAC connected to security Fabric
Bridge mode SSID created in FortiGate using external authentication captive portal pointing to FortiNAC URL
FortiNAC configured for Guest Self Registration (guests can also be created locally by admin/sponsors)

I simply want guest users connecting to the SSID to be authenticated by FortiNAC and be granted access to the wireless network so they can browse the internet. I cant seem to find any configuration examples for this. I see documents speaking to creating Logical Networks etc. The term Model Configuration also comes up, but I dont see this tab for the FortiGate in the Network -> Inventory view. I'm been struggling with this for months. Please help.

ebilcari

Staff

the model configuration from FortiNAC can be found in Virtualized Devices, like:

From FGT you have to enable MAC address filtering on that SSID and the RADIUS server pointing to FortiNAC and enable Dynamic VLAN:

mac filter.PNG

For the captive portal to work you need to configure the DHCP server relay to point to FNAC eth1 interface. Portal redirection is done through DNS only. There is no need to enable captive portal on FGT or put an url, it will not work like that

The SSID should include at least two VLANs, registration and access:

You can also take a look at this step by step guide, it's for wired but share the same logic steps: https://community.fortinet.com/t5/FortiNAC/Technical-Tip-FortiNAC-Guest-Captive-Portal-configuration-and/ta-p/215606

Emirjon

lincowebAuthor

New Member

A couple of things:

I don's see a 'Virtualized Devices' Tab
Are you sure Dynamic VLAN assignment is available for an SSID in Bridge mode?
If I don't configure the SSID to use captive Portal in the FGT, which Authentication scheme should be selected when configuring the SSID?

How do I Assign a second VLAN to the SSID?
I am aware of the link you sent from before. However, it speaks to some settings I am not able to access

I think the 'Logical Network' is associated with the 'Model Configuration' which I mentioned I am not able to see from before. I am not seeing the 'Virtualized Devices' tab either

ebilcari

Staff

1. I don's see a 'Virtualized Devices' Tab - You have to check FGT modeling, something is wrong there, r-click Set Device Mapping

2. Are you sure Dynamic VLAN assignment is available for an SSID in Bridge mode? - Yes they are, basically the AP will tag the user traffic directly and put it on the switch port, you don't have to configure it under SSID.

3. If I don't configure the SSID to use captive Portal in the FGT, which Authentication scheme should be selected when configuring the SSID? - Just leave it open or PSK if you want but put FNAC as DHCP and DNS server, it will put the users in registration VLAN that you can limit access to FNAC only. Registration VLAN should include the network configurations and dhcp relay.

4. I think the 'Logical Network' is associated with the 'Model Configuration' which I mentioned I am not able to see from before. I am not seeing the 'Virtualized Devices' tab either - Yes, but it looks like your FGT is not properly modeled, you should also see the SSID tab

Emirjon

lincowebAuthor

New Member

How do I 'Check FGT Modeling'? This is what I see when I r-click and 'Set Device Mapping':

Dynamic VLAN assignment is only available when 'RADIUS Server' is enabled under 'Client MAC Address Filtering' for tunnel mode SSIDs. The option is not there for Bridge Mode SSIDs. Are you saying I dont need to configure it at all now?

I have a VLAN created on the FGT for registration. It uses DHCP relay to point the FNAC. Should I then configure the 'Optional VLAN ID' field in the SSID to this VLAN so that when clients associate to the SSID they a placed in this VLAN?

Is there not a cookbook example specifically showing how to do this with a FGT, starting from modeling right through to configuring the SSID and captive portal?

lincowebAuthor

New Member

I just blew away the device from the inventory and re-added it. I'm seeing the tabs you mentioned now:

lincowebAuthor

New Member

So I was able to set the SSID as open, I set the Optional VLAN ID to the isolation VLAN created on the fortilink, which is on the same network as the Fortinac eth1 interface. So when the user associates they get an IP from FortiNAC and redirects to the portal. Client is able to self register and sponsor gets request and approves successfully. Credentials are sent to user on the portal page and they authenticate successfully, getting the success message.

However, after the progress bar reaches 100%, a message pops up saying Failed to detect a Change in Your network Settings, Retrying...'. Can someone walk me through an example Network Access Policy for this scenario I'm trying to achieve.

PS. I did find this document. https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Captive-Portal-Registration-Failed-to-detect-a/ta-p/222736

Made the changes but it doesn't seem to have any effect

ebilcari

Staff

This error is related to VLAN change and CoA. The SSID should have been configured in advance with the registration and production VLANs. After successful user login, FNAC should respond with the production VLAN and a CoA request to bounce the end host to the new VLAN, done via RADIUS.

For this on FGT you have to add this command under RADIUS server configuration:

config user radius
   edit "FNAC"
      set radius-coa enable

Emirjon

jsotta

New Member

Hi @lincoweb did you already implemented this one ? Can you share as well.
Thank you!

ebilcari

Staff

You can take a look at this new article dedicated to guest solution using FGT and FNAC.

Emirjon

jsotta

New Member

hi @ebilcari I check the documents but its seems, its different on the captive portal azure athentication. Thanks!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded