Description | This article describes steps to configure FortiAuthenticator with a captive portal and device-tracking. |
Scope |
FortiAuthenticator v6.4+. FortiGate v6.4+. |
Solution |
In this example, the users will only need to authenticate with a captive portal once to gain internet access. On each subsequent session, internet access will be granted automatically. When the user authenticates for the first time, the device MAC address will be registered on FortiAuthenticator. Next time the user tries to access internet from the same device, the captive portal won't be displayed.
In scenario, FortiGate will redirect the user to the FortiAuthenticator captive portal.
Follow the steps below to configure FortiAuthenticator:
1) Add a group to receive the MAC addresses registered in the portal. Navigate to Authentication -> User Management -> User Groups -> Create New:
The new group will be added:
2) Create local users. This example will only use local users, but these steps also work with remote users. Navigate to Authentication -> User Management -> Local Users and create the users:
3) Create a RADIUS client. FortiGate is the RADIUS client in this case. Navigate to Authentication -> RADIUS Service -> Clients and select Create New.
4) Create a portal with device-tracking enabled. Select the MAC group created before. Navigate to Authentication -> Portals -> Portals and select Create New.
The 'Maximum number of devices' field limits the number of MAC addresses allowed per user.
5) Create a portal policy. Add FortiGate as an access point by navigating to Authentication -> Portals -> Access Points:
- Client Address: The FortiGate IP in the LAN interface where captive portal is enabled.
Add the local user to a group through Authentication -> User Management -> User Groups -> Create New:
Add the Portal Policy. Navigate to Authentication -> Portals -> Policies -> Captive Portal and select Create New:
Define a name and select the portal. Take note of the URL: it will be necessary to configure a captive portal on FortiGate. Select Next:
Select the access point and RADIUS client. Select Next:
Select the Authentication type. Select Next:
Select the group which the local user belongs to. Select Next:
Select the MAC address parameter 'usermac'. Select Next:
Select Save and exit:
6) It is now necessary to create a MAB policy. This policy will authenticate the MAC addresses registered previously. Navigate to Authentication -> RADIUS Service -> Policies and select Create New. Add a policy name and select the RADIUS client. Then, select Next:
Select Next:
Select the MAC authentication bypass (MAB) option. Select Next:
Select the MAC group. Select Next:
Select 'Access-Reject' on the 'Unauthorized' MACs. This option will block any MAC authentication that does not belong to the MAC group. Select Save and exit:
7) For the next steps, the following settings must be created on FortiGate:
Configure FortiAuthenticator as a RADIUS server:
Create the User Group:
Enable Captive Portal on the LAN interface and select the group:
Add the group to the firewall policy as necessary.
Enable MAC address bypass in the FortiGate LAN interface. This must be done through the CLI:
# config system interface edit "port4" set vdom "root" set ip 192.168.1.2 255.255.255.0 set allowaccess ping https http set type physical set security-mode captive-portal set security-mac-auth-bypass enable set security-external-web "https://fac.fortinet.br/portal/" set security-groups "Portal_Local" "Portal_Users" set device-identification enable set lldp-transmission enable set role lan set snmp-index 4 next end
If the captive portal is configured on a WiFi SSID interface, enable the following parameter:
# config wireless-controller vap edit "Test" set security captive-portal set mac-auth-bypass enable next end
When the user tries to access the internet for the first time, the FortiAuthenticator captive portal will be displayed:
9) After entering the credentials, the device MAC Address can be registered. Select OK:
The user will now have access to the internet. Additionally, the MAC address is added to the MAC list and bound to the user:
10) The next time the user tries to access the internet, the captive portal will not be displayed as long as the MAC device is registered. If the connection comes from a different device, the captive portal will be displayed again.
Related documentation: https://docs.fortinet.com/document/fortiauthenticator/6.4.6/administration-guide/842372/mac-devices |