Help
FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
Wallerson
Staff
Staff

Created on ‎02-22-2023 04:47 PM

Article Id 246322

Technical Tip: Configure a captive portal with device-tracking

Description This article describes steps to configure FortiAuthenticator with a captive portal and device-tracking.
Scope

FortiAuthenticator v6.4+.

FortiGate v6.4+.
Solution

In this example, the users will only need to authenticate with a captive portal once to gain internet access. On each subsequent session, internet access will be granted automatically.

When the user authenticates for the first time, the device MAC address will be registered on FortiAuthenticator. Next time the user tries to access internet from the same device, the captive portal won't be displayed.

 

In scenario, FortiGate will redirect the user to the FortiAuthenticator captive portal.

 

Follow the steps below to configure FortiAuthenticator:

 

1) Add a group to receive the MAC addresses registered in the portal. Navigate to Authentication -> User Management -> User Groups -> Create New:

 

Wallerson_0-1676652257733.png

 

The new group will be added:

 

Wallerson_1-1676652391590.png

 

2) Create local users. This example will only use local users, but these steps also work with remote users.

Navigate to Authentication -> User Management -> Local Users and create the users:

 

Wallerson_2-1676652630509.png

 

3) Create a RADIUS client. FortiGate is the RADIUS client in this case.

Navigate to Authentication -> RADIUS Service -> Clients and select Create New.

 

Wallerson_3-1676652776476.png

 

4) Create a portal with device-tracking enabled. Select the MAC group created before.

Navigate to Authentication -> Portals -> Portals and select Create New.

 

Wallerson_4-1676653098669.png

 

The 'Maximum number of devices' field limits the number of MAC addresses allowed per user.

 

5) Create a portal policy. Add FortiGate as an access point by navigating to Authentication -> Portals -> Access Points:

 

Wallerson_6-1676653531774.png

 

- Client Address: The FortiGate IP in the LAN interface where captive portal is enabled.

 

Add the local user to a group through Authentication -> User Management -> User Groups -> Create New:

 

Wallerson_7-1676654824712.png

 

Add the Portal Policy. Navigate to Authentication -> Portals -> Policies -> Captive Portal and select Create New:

 

Wallerson_8-1676654935569.png

 

Define a name and select the portal. Take note of the URL: it will be necessary to configure a captive portal on FortiGate. Select Next:

 

Wallerson_9-1676655046303.png

 

Select the access point and RADIUS client. Select Next:

 

 Wallerson_0-1676660686440.png

 

Select the Authentication type. Select Next:

 Wallerson_1-1676660750075.png

 

Select the group which the local user belongs to. Select Next:

 

Wallerson_3-1676660916589.png

 

Select the MAC address parameter 'usermac'. Select Next:

 

Wallerson_4-1676661144199.png

 

Select Save and exit:

 

Wallerson_5-1676661289275.png

 

6) It is now necessary to create a MAB policy. This policy will authenticate the MAC addresses registered previously.

Navigate to Authentication -> RADIUS Service -> Policies and select Create New. Add a policy name and select the RADIUS client. Then, select Next:

 

Wallerson_0-1676661647273.png

 

Select Next:

 

Wallerson_0-1676662186446.png

 

Select the MAC authentication bypass (MAB) option. Select Next

 

Wallerson_1-1676662282690.png

 

Select the MAC group. Select Next

 

Wallerson_2-1676662334929.png

 

Select 'Access-Reject' on the 'Unauthorized' MACs. This option will block any MAC authentication that does not belong to the MAC group. Select Save and exit:

 Wallerson_3-1676662471413.png

 

7) For the next steps, the following settings must be created on FortiGate:

 

Configure FortiAuthenticator as a RADIUS server:

 

Wallerson_0-1676662886953.png

 

Create the User Group:

 

 Wallerson_1-1676662944575.png

 

Enable Captive Portal on the LAN interface and select the group: 

 

Wallerson_1-1677087968843.png

 

Add the group to the firewall policy as necessary.

 

Enable MAC address bypass in the FortiGate LAN interface. This must be done through the CLI:

 

# config system interface

edit "port4"

set vdom "root"

set ip 192.168.1.2 255.255.255.0

set allowaccess ping https http

set type physical

set security-mode captive-portal

set security-mac-auth-bypass enable

set security-external-web "https://fac.fortinet.br/portal/"

set security-groups "Portal_Local" "Portal_Users"

set device-identification enable

set lldp-transmission enable

set role lan

set snmp-index 4

next

end

 

If the captive portal is configured on a WiFi SSID interface, enable the following parameter:

 

# config wireless-controller vap

edit "Test"

set security captive-portal

set mac-auth-bypass enable

next

end

 

When the user tries to access the internet for the first time, the FortiAuthenticator captive portal will be displayed: 

 

Wallerson_2-1677088634106.png

 

9) After entering the credentials, the device MAC Address can be registered. Select OK

 

Wallerson_3-1677089908995.png

 

The user will now have access to the internet. Additionally, the MAC address is added to the MAC list and bound to the user:

 

Wallerson_4-1677090282943.png

 

10) The next time the user tries to access the internet, the captive portal will not be displayed as long as the MAC device is registered. If the connection comes from a different device, the captive portal will be displayed again.

 

Related documentation:

https://docs.fortinet.com/document/fortiauthenticator/6.4.6/administration-guide/842372/mac-devices
1467
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.