FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
lmarinovic
Staff
Staff
Article Id 192701
Description

This article describes setting up a new social captive portal service on the FortiAuthenticator, and configuring the FortiGate for captive portal access, allowing users to log in to the WiFi network using either SMS or e-mail self-registration.

For FortiAuthenticator firmware versions 5.5 and 6.0 captive portals have merged with Guest Portals.
Existing captive portals will convert to a guest portal configuration following a firmware upgrade.
The look and function of converted portals will remain unchanged.

Note that it is possible to add social users as many as licenses.

Example if there are 500 user licenses (local+remote), there will have 500 Social users also.

On the dashboard, it is only possible to  see (local+remote) count.

The count of social users will be displayed on Authentication -> User Management -> Social Login Users.


Solution
1) Create a user group for form based social login users.

Go to Authentication -> User Management -> User Groups and create a 'Form_Users' user group.

Users that log in through the forms-based authentication method will be placed in this group once it is added to the captive portal general settings.

2) Configuring the RADIUS client on FortiAuthenticator.

Go to Authentication -> RADIUS Service -> Clients and create a new 'RADIUS' client.

This needs to be the FortiGate that has the FortiAunthenticator set as the captive portal.
Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 192.168.1.254).

Enable the guest portal.

Accept guest portal requests from related Access Points.

In the IP address/FQDN field enter the IP addresses of the Access Points.
If  FortiAPs managed by the FortiGate are used, specify the IP set for the specific WiFi SSID (in the example, 192.168.3.1).




Enter the pre-shared secret and set the authentication method.
The FortiGate will use this secret key in its RADIUS configuration.

Add the Social_Users user group to the realms group filter as shown.




Select 'Save' and then 'OK'.

3) Configuring the Captive Portal on FortiAuthenticator

If using FortiWLC, specify its IP/FQDN in the social portal pinholes in Authentication -> Guest Portals -> General 
and create a new Guest Portal (in this example named form_socportal).

Note:

The URL for the captive portal as it is the one that needs to be provided as the redirect URL in the FortiGate.
Note that the last slash is mandatory.

The URL was changed over the versions:

Up to 5.4 it would be /social_login/
5.5 - 6.0 it would be /guests/
6.1 onwards it would be /portal/

Note that if additional social login providers are used (LinkedIn, Facebook, etc…), these need to be updated to accept the forwarders links.

Set to use RADIUS Client which is the FortiGate, mapped to the RADIUS client's specific Profile (if multiple configured for that RADIUS Client) and mapped to the Social/Device-only Group.

In the General part, if needed specify the SMS gateway used.

In the authentication part, specify authentication type as user credentials, enable Social login and enable Phone number or Email type of form-based social login.





Set up the Pre-login services.

In this part account delivery options are available, which specify if the user will be able to register via SMS or e-mail.

Enable 'Account Registration', specify optionally the account expiry.

Enable 'Place registered users' into a group and choose form_users.





4) Configuring a captive portal rule on FortiAuthenticator.

Go to Authentication -> Guest Portals -> Rules and create a portal rule to allow access to the form_socportal portal.




If required, after saving, add HTTP parameters on which conditions this rule will be applied.

For example, a condition to restrict the portal to users from subnet 192.168.1.0/24 is:

HTTP parameter = userip
Operator = [ip]in_range
Value = 192.168.1.0/24




5) Configuring the FortiGate authentication settings.

On the FortiGate, go to User & Device -> RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP and pre-shared secret.

Use the Test Connectivity option with valid credentials to test the connection.



Go to User & Device -> User Groups and create a RADIUS user group called form_based.

Set the Type to Firewall and add the RADIUS server to the Remote groups table.





6) Configuring the FortiGate WiFi settings.

Go to WiFi & Switch Controller -> WiFi Network -> SSID and select the SSID interface.

Under WiFi Settings, set the security mode to captive portal.

For the Authentication Portal, select 'External', and enter the FQDN of the FortiAuthenticator, followed by /guests/.

In this example, it is set to: https://FAC.mt-test.local/guests/

Set 'User Groups' to the social_users group.




7) Configuring the FortiGate to allow access to FortiAuthenticator.

On the FortiGate, go to Policy & Objects -> Addresses and add the FortiAuthenticator firewall object.

For Subnet/IP Range enter the IP address of the FortiAuthenticator.

Go to Policy & Objects -> IPv4 Policy and create the FortiAuthenticator access policy.

Set Incoming Interface to the WiFi SSID interface and set Source Address to all.
Set Outgoing Interface to the interface towards the FortiAuthenticator and set Destination Address to FortiAuthenticator.
Set Service to HTTP/HTTPS.

Add the following to exempt the FortiAuthenticator access policy from the Captive Portal:
# config firewall policy
   edit <policy_id>
      set captive-portal-exempt enable
   next
end
This command allows access to the external Captive Portal.

8) Results.

Connect to the WiFi and attempt to browse the Internet. You will be redirected to the captive portal splash page.

Select 'Form-based' to the Form-based authentication login page.



Select the preferred Verification method, enter valid credentials, and select 'Submit'.
it will redirect to the URL initially requested.



The Social login user can be verified in the firewall user monitor in the FortiGate.





The user can now browse freely until the social login account expires.


Contributors