Description
This article describes how to configure FortiGate Captive Portal authentication via FortiAuthenticator.
Topology.
Scope
FortiAuthenticator.
Solution
Key Configuration Points.
- On the FortiGate, when external authentication Captive Portal is configured, the user authentication is performed on the external authentication device (e.g. FortiAuthenticator) not on the FortiGate.
- When the 'External Authentication portal' is configured with FortiAuthenticator, FortiGate is required to be a RADIUS client of the FortiAuthenticator and a remote user group pointing towards the FortiAuthenticator (as RADIUS server) is required to be configured on the FortiGate.
- On the FortiGate, the FortiAuthenticator and DNS servers (in the case where FQDN is configured on the 'External Authentication portal') are required to be exempted from the 'Captive Portal'.
- On the FortiAuthenticator for 'Captive Portal' authentication 'Portal', 'Access Point' and 'Policy' are required to be configured. 'Access Point' is the IP address of the port on FortiGate where the 'Captive Portal' is enabled.
Configuration.
- Windows Active Directory at IP Address 10.91.1.49 is configured as the local DNS server. In this configuration, the domain name is 'lab.local'
- The FortiGate is pointing towards the Windows Active Directory for DNS resolution.
- Configure 'Device FQDN' (Dashboard -> Status -> Device FQDN) on the FortiAuthenticator.
- On the FortiAuthenticator, configure the Windows Active Director as remote LDAP authentication server. Go to Authentication -> Remote Auth. Servers -> LDAP and select 'Create New'.
- On the FortiAuthenticator, create a 'Realm' (User Management -> Realms and select 'Create New') for the newly created remote LDAP authentication server.
- On the FortiAuthenticator, create a user group (User Management -> User Group and select 'Create New') that contains members from the Remote LDAP server.
- In this example, the 'CP_USER_LDAP_GROUP' user group on the FortiAuthenticator contains members of the 'CP_USER_GROUP' user group from the remote LDAP server. 'CP_USER_GROUP' user group contains member 'cp_user_1'.
- Once the Remote LDAP group is created, edit the newly created group and add the 'Fortinet-Group-Name' RADIUS Attribute. This RADIUS Attribute will be sent to the RADIUS clients requesting authentication via RADIUS.
- On the FortiAuthenticator, create a local user 'cp_user_2'(User Management -> Local Users and select 'Create New').
- On the FortiAuthenticator, create another user group (CP_USER_LOCAL_GROUP) (User Management -> User Group and select 'Create New') and add local user 'cp_user_2' in the group.
- Once the Local user group is created, edit the newly created group and add the 'Fortinet-Group-Name' RADIUS Attribute. This RADIUS Attribute will be sent to the RADIUS clients requesting authentication via RADIUS.
- On the FortiAuthenticator, create a RADIUS client (Authentication -> RADIUS Service -> Clients and select 'Create New') as the FortiGate.
- On the FortiGate, create FortiAuthenticator as the RADIUS Server (User & Device -> RADIUS Servers and select 'Create New').
- On the FortiAuthenticator, create a 'Portal' (Authentication -> Portals -> Portals and select 'Create New') for credential based user authentication and enable the 'Disclaimer' under the 'Pre-Login Services' section.
- On the FortiAuthenticator, create an 'Access Point' (Authentication -> Portals -> Access Points and select 'Create New'). 'Access Point' is the IP address of the port on FortiGate where the 'Captive Portal' is enabled.
- On the FortiAuthenticator, create a 'Policy' (Authentication -> Portals -> Policies and 'Create New') for the Captive Portal Authentication.
- On the 'Policy type' page, enter a policy name, select type as 'Allow captive portal access', and select the newly created portal from the drop-down list. Ensure that the URL have been saved. This URL is the 'External Authentication portal' that would be configured on the FortiGate interface where the 'Captive Portal' will be enabled.
- On the 'Portal selection criteria' page, in the Additional source criteria section, select 'Add Condition'. In the 'Create New Portal Rule Condition' dialog box, configure the following settings: HTTP Parameter: userip, Operator: in_range and Value: 'subnet' of FortiGate interface where the Captive Portal will be enabled.
- In the Access points section, select the access point created earlier and move it to the 'Chosen Access Points' pane. In the RADIUS clients section, select the FortiGate RADIUS client and move it to the 'Chosen RADIUS Clients' pane.
- On the 'Authentication type' page keep the default selection and proceed to the 'Identity source' page and select the 'Username format', configure 'Realms' for local and LDAP users and configure group 'Filter'. Ensure that the 'Allow Local Users To Override Remote Users' selection is enabled for the remote LDAP realm for local user authentication to be successful.
- On the 'Authentication factors' and 'RADIUS response' page keep every selection default and save the policy.
- On the FortiGate, create a user group (User Groups and select 'Create New'). In the Remote Groups section, select FortiAuthenticator RADIUS server and specify the remote user group names on the FortiAuthenticator.
- On the FortiGate, enable Captive Portal on the interface (Network -> Interfaces, select interface and select 'Edit'). (In this example captive portal is enabled on the interface Port7). Select 'Authentication portal' as 'External' and enter the FortiAuthenticator Captive Portal URL (The same URL saved earlier). Select the 'User groups' as configured earlier.
- On the FortiGate, create address objects (Policy & Objects -> Addresses and select 'Create New') for FortiAuthenticator, Windows Active Directory and LAN (in this example PORT7) port.
- On the FortiGate, create IPv4 firewall policies (Policy & Objects -> IPV4 Policy and select 'Create New').
- Policy 1 to allow the FortiAuthenticator and Windows Active Directory to access the internet. In this example, Windows Active Directory is configured as the local DNS server and pointing towards external DNS servers on the Internet. The FortiAuthenticator is allowed internet access for its license verification. (Depending on the environment, this policy may not be required).
- Policy 2 is allowing the LAN subnet to access FortiAuthenticator and Windows Active Directory for DNS and HTTP/HTTPS service. DNS service access to the DNS server is required for Captive Portal 'External Authentication' URL resolution. HTTP/HTTPS service access is required to the FortiAuthenticator to display the “Captive Portal” login page on the web browser. This policy also requires exemption from the captive portal (because the source interface is still port7 where the 'Captive Portal” is enabled) and can be configured using the CLI with the below commands.
config firewall policy
edit 2
set captive-portal-exempt enable
next
end
- Policy 3 is allowing the LAN subnet to access the internet after successful 'Captive Portal' authentication.
Important:
If the captive portal server certificate includes a crl/ocsp server (and it usually does), these destinations must also be exempted in policy 2.
That is to prevent a potential "Untrusted certificate" error. Example crl/ocsp servers that need to be exempted:
Verification.
- On the 'USER_PC' (on port7 LAN) open a web browser and try to go to any webpage. In this example, keyword 'fortinet' was entered on the Firefox web browser’s address bar.
- Firefox web browser displays the 'Open Network Login Page'.
- After selecting the 'Open Network Login Page', the 'Captive Portal’s' 'Disclaimer' page is displayed.
- After accepting the 'Disclaimer', the 'Captive Portal’s' 'external login page' is displayed.
- Enter user credentials and after successful authentication user is redirected to the search results for the keyword 'fortinet' that was entered initially.
- On the FortiGate, go to Monitor -> Firewall User Monitor. The user login can be monitored here.
- The user login can also be viewed using the CLI command 'diagnose firewall auth list'.
- On the FortiAuthenticator, go to Log Access -> Logs. The user login logs on the FortiAuthenticator can be reviewed here.