Help
FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
kiri
Staff
Staff

Created on ‎12-22-2021 12:20 AM

Article Id 201711

Technical Tip: The typical captive portal workflow for an end-user with a FortiGate/FortiWiFi

Description This article describes the typical captive portal workflow for an end-user with a FortiGate/FortiWiFi
Scope

 
Solution

- End-user browser attempts to go through the FortiGate/FortiWiFi to access a website.

 

- (Optional step) FortiGate/FortiWiFi sends a MAC Authentication Bypass (MAB) RADIUS authentication request using the end-user's MAC address to the FortiAuthenticator.

 

- (Optional step) FortiAuthenticator processes the MAB request. It return an Access-Accept response and authorized group name RADIUS attributes if the MAC address is authorized, or an Access-Accept response without the authorized group name RADIUS attribute otherwise.

 

- (Optional step) Upon an Access-Accept response and correct group membership, the end-user browser bypasses the captive portal and is allowed through to the requested website.

Workflow stops here.

 

- FortiGate/FortiWiFi intercepts the request and redirects the browser to the FortiAuthenticator's captive portal.

The redirect takes the form of an HTTPS request including parameters containing information unique to this particular authentication session.

Here is a FortiGate/FortiWiFi redirect sample:
https://192.168.30.47/portal/?post=http://192.168.30.1:1000/fgtauth&magic=040d028c9aaae999&usermac=6...

 

- FortiAuthenticator successfully authenticates the end-user.

 

- FortiAuthenticator redirects the end-user browser to the FortiGate/FortiWiFi's captive portal API specified in the 'post' parameter of the original captive portal redirect, e.g. http://192.168.30.1:1000/fgtauth in the above sample.

The API call also contains the 'magic' parameter (also from the original redirect), in addition to a username and password.

 

- FortiGate/FortiWiFi uses the 'magic' parameter to associate the API request to the firewall session that triggered the original redirect and triggers a RADIUS authentication request to the FortiAuthenticator using the username and password from the API request.

 

- FortiAuthenticator verifies the credentials from the RADIUS authentication request.

If valid, it returns a RADIUS Access-Accept response containing the appropriate RADIUS attributes.

 

- FortiGate/FortiWiFi redirects the end-user browser to a website.

The specific website depends on the FortiGate/FortiWiFi.
Related articles

Technical Tip: How to configure FortiGate Captive Portal via FortiAuthenticator

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD52850&sliceId=...)
2226
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.