FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Wallerson
Staff
Staff
Article Id 275801
Description This article describes how to configure captive portal and social login with Google authentication. It will describe the steps to enable the API on Google, the configuration steps on FortiAuthenticator and FortiGate.
Scope FortiAuthenticator v6.5.2, FortiGate v7.2.5.
Solution

Configuring Google API.

 

  1. Access the page https://console.developers.google.com and log in with a Google Account.
  2. Create a new project:

01.png

 

  1. Give the project a name and select the 'CREATE' button.

 

02.png

 

  1. Select the new project.

 

03.png

 

  1. Select 'ENABLE APIS AND SERVICES'.

 

04.png

 

  1. In the API list, find 'Google+ API'.

 

05.png

 

  1. Select 'ENABLE'.

 

06.png

 

  1. Select 'OAuth consent screen'.

 

08.png

 

  1. Select 'External' and 'CREATE'.

 

09.png

 

  1. Give the app a name and add a support email.

 

10.png

 

  1. For this example, the domain 'fortinet.br' will be 'Authorized domain'. This domain matches the FortiAuthenticator captive portal domain and the FortiGate authentication URL. Select 'SAVE AND CONTINUE'.

 

11.png

 

  1. Select 'SAVE AND CONTINUE' on the 'Scopes' and 'Test users' steps as well.
  2. Select 'Credentials' on the left panel of APIs & Services:

 

07.png

 

  1. Select 'CREATE CREDENTIALS' and 'OAuth client ID'.

 

12.png

 

  1. Select 'Web application' on 'Application type' and provide a name. Add the URL https://fac.fortinet.br/portal/social/complete/google-oauth2/ in the 'Authorized redirect URIs'. Select 'CREATE'.

 

Note:

This URL comes from FortiAuthenticator. See step 13 from the 'Configuring FortiAuthenticator' session to get the correct URL. Select the 'Copy redirect URL' button right in front of the 'Google' Social User.

 

13.png

 

  1. Take note of the 'Client ID' and 'Client secret'. These credentials will be used in step 2 of the 'Configuring FortiAuthenticator' session. Select 'OK'.

 

14.png

 

Configuring FortiAuthenticator.

 

  1. Select Authentication -> Remote Auth. Servers -> OAuth and select 'Create New'.

 

15.png

 

  1. Supply a name, select 'Google' on 'OAuth source', and copy and paste the 'Client ID' as shown on step 16 (Configuring Google API) into the 'Key' field. Then, copy the 'Client Secret' from step 16 and paste it into the 'Key' field.

 

16.png

 

  1. Select Authentication -> Portals -> Access Points, select 'Create New', and add two access points.
  • Add one Access Point to reference the FortiGate LAN interface IP where the Captive Portal is enabled. For this example, it is Port4 which has 192.168.1.2 configured.

 

18.png

 

  • Add another Access Point to reference the FortiGate auth-portal URL, as described in step 4 from Configuring FortiGate session.
  1. Select Authentication -> RADIUS Service -> Clients and select 'Create New'. Add a name and the FortiGate IP that will communicate with FortiAuthenticator. Add the 'Secret' and select 'Save'. 

 

32.png

 
  1. Select Authentication -> User Management -> User Groups and select 'Create New'. Add a name and the 'Radius Attributes'.

    The users authenticated by Google will be added to this group. This group will be used on the FortiGate configuration.

 

21.png

 

22.png

 

  1. Select Authentication -> Portals -> Portals and select 'Create New'. 

 

20.png

 

  1. Add a name and select the option below. For this example, only 'Disclaimer' is enabled.

 

23.png

 

  1. Select Authentication -> Portals -> Policies -> Captive Portal and select 'Create New'.

 

24.png

 

  1. Add a name to the policy. Take note of the URL; it will be used as a Captive Portal URL in FortiGate settings. Select the Portal name and select 'Next'.

 

25.png

 

  1. Select the options as shown below. In the 'Value', set the user's IP range. Select 'Next'.

 

26.png

 

  1.  Select the 'Access points' and the 'Radius Client'. Select 'Next'.

 

27.png

 

  1. Select 'Social users' and the group created before in the field 'Assign accounts to group'. Select 'Next'.

 

28.png

 

  1. Select 'Google' in the 'Social Users' section. Select the OAuth server created in step 2. Select 'Next'.

 

29.png

 

  1. Select 'Next' and then 'Update and exit'.
 

Configuring FortiGate.

 

  1. Enable the 'Captive Portal' on the LAN interface. Set the FortiAuthenticator URL as shown in step 9 (Configuring FortiAuthenticator). Select 'OK'.

 

34.png

 

  1. Select User & Authentication -> RADIUS Servers and select 'Create New'. Add FortiAuthenticator as a RADIUS server and select 'Ok'.

 

35.png

 

  1. Select User & Authentication -> User Groups and select 'Create New'. Add the name of the group created in step 5 (Configuring FortiAuthenticator). Select 'OK'.

 

36.png

 

  1. Add the FortiGate portal address:

 

config firewall auth-portal
    set portal-addr "fgt.fortinet.br"
end

 

Note: 

For more information, see the related article at the end of this article.

 

  1. Add the policy to allow the users to reach Google page to perform the authentication. Under Policy & Objects -> Firewall Policy, select 'Create New'. Select the LAN interface in the 'Incoming Interface' and the WAN in the 'Outgoing Interface'. Select the ISDBs 'Google-Gmail' and 'Google-Web' as the destination.

 

37.png

 

  • Edit the policy through the CLI and enable the 'captive-portal-exempt'.
 

config firewall policy
  edit 23
     set uuid 6552a3e8-56ed-51ee-da10-9c25cf5e3d0a
     set srcintf "port4"
     set dstintf "port1"
     set action accept
     set srcaddr "192.168.1.0/24"
     set internet-service enable
     set internet-service-name "Google-Gmail" "Google-Web"
     set schedule "always"
     set utm-status enable
     set logtraffic all
     set nat enable
     set captive-portal-exempt enable
  next
end

 

Note: 

For more information, check related article in the end.

 

  1.  Add a new policy to allow the users to access the Internet. Add the group to the source.

 

38.png

 

Testing the internet access.

 

  1. From a test host, try to access the internet. FortiGate will redirect the user to the Captive Portal.

 

39.png

 

  1. Select 'Sign in with Google'. Type the credentials.

 

40.png

 

41.png

 

  1. After authentication completes, internet access will be granted.
  2. The Gmail user can be checked on the FortiAuthenticator console. Select Authentication -> User Management -> Social Login Users.

 

42.png

 

  1. The user is added to the group. Select Authentication -> User Management -> User Groups.

 

43.png

 

  1. The user can be seen on the FortiGate console. Select Dashboard -> User & Devices -> Firewall Users.

 

44.png

 

Related article: