Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
rbraha
Staff
Staff

Created on ‎05-23-2023 02:30 AM Edited on ‎08-28-2023 05:20 AM By Moderator

Article Id 257537

Technical Tip: Captive portal authentication using FortiAuthenticator with Usage profile

 

 
Description This article describes how to configure a captive portal with FortiAuthenticator including Usage Profile.
Scope FortiAuthenticator, FortiGate.
Solution

On this configuration, it is required that WIFI users authenticated with a guest portal need to be disconnected after a specific time configured on FortiAuthenticatior.

 

  1. Enable Radius Accounting Service on FortiAuthenticator's Interface facing to FortiGate:

RadiusService.jpg

 

  1. Configure FortiGate as Radius Client on FortiAuthenticator:

     

    radius client.png

     

     

  2. Create a usage profile, under Authentication -> User Management -> Usage Profile.

    An on-Time Limit of 5 minutes has been selected.

     

    usage profile.png

     

     

  3. Create a user group on FortiAuthenticator for guest users, select Usage profile, and configure on Radius Attribute -> Acct-Interim-Interval to 60 sec.

     

    user group.png

     

     

  4. Configure the guest portal and also configure an access point on FortiAuthenticator.

     guest portal.png

     

     

  5. Configure captive portal policy on FortiAuthenticator.

     

    guest policy.png

     

  6. Configure FortiAuthenticator as a Radius Server on FortiGate, in this case,  MS-CHAPv2 is used, also FortiAuthenticator needs to be joined to the domain in order to use MS-CHAPv2.

     

    For more detailed info, check the below KB article:

    Technical Tip: Joining FortiAuthenticator in the active directory as a machine entity.

     

    Radius configuration is done on FortiGate through CLI:

     

    radius cli.png

     

     

  7. Create a user group on FortiGate:

     

    user group FGT.png

     

     

  8. Create a wireless guest SSID on FortiGate.

     

    wifi1png.png

     

    wifi2.png

     

     

  9. Configure firewall policies for guest access to DNS, FortiAuthenticator, and the internet.

     

    policy png.png

    Test performed with one user 'beni'.

     

    Try to log in with SSID: after connecting, it will be requested to register, and fill all required fields there.

    After registration on a mobile phone, a message will appear: 'Your account has been created and is now ready to use'.

     

    Now, it is possible to log in with the new user and it is listed as a new registered user on FortiAuthenticator under Monitor -> Authentication -> Radius Sessions also the user is registered on FortiGate.

     

    radius sessions.png

     

    After the time for 5 min on the next acct.-interim-interval, the user will be disconnected from FortiGate and FortiAuthenticator and will be saved as a Radius session as cumulative.

     radius session 2png.png

    On FortiAuthenticator, the user will not be able to log in again because the user will be disabled with the status 'Usage limit exceeded'.

     

    usage limit exceeded png.png

     

    For further troubleshot check Radius Authentication and Radius Accounting Monitor logs on FortiAuthenticator:

    https://<fac-ip>//debug/rad_accounting/

     

    Note:

    After the user is disabled, it can be enabled manually by the administrator and the user can log in again with the same credentials without the need to register again.

 

2864
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.