cchiriches
Staff
Staff
Description This article describes the typical captive portal workflow for an end-user with a FortiGate/FortiWiFi
Scope

 

Solution

- End-user browser attempts to go through the FortiGate/FortiWiFi to access a website.

 

- (Optional step) FortiGate/FortiWiFi sends a MAC Authentication Bypass (MAB) RADIUS authentication request using the end-user's MAC address to the FortiAuthenticator.

 

- (Optional step) FortiAuthenticator processes the MAB request. It return an Access-Accept response and authorized group name RADIUS attributes if the MAC address is authorized, or an Access-Accept response without the authorized group name RADIUS attribute otherwise.

 

- (Optional step) Upon an Access-Accept response and correct group membership, the end-user browser bypasses the captive portal and is allowed through to the requested website.

Workflow stops here.

 

- FortiGate/FortiWiFi intercepts the request and redirects the browser to the FortiAuthenticator's captive portal.

The redirect takes the form of an HTTPS request including parameters containing information unique to this particular authentication session.

Here is a FortiGate/FortiWiFi redirect sample:
https://192.168.30.47/portal/?post=http://192.168.30.1:1000/fgtauth&magic=040d028c9aaae999&usermac=6...

 

- FortiAuthenticator successfully authenticates the end-user.

 

- FortiAuthenticator redirects the end-user browser to the FortiGate/FortiWiFi's captive portal API specified in the 'post' parameter of the original captive portal redirect, e.g. http://192.168.30.1:1000/fgtauth in the above sample.

The API call also contains the 'magic' parameter (also from the original redirect), in addition to a username and password.

 

- FortiGate/FortiWiFi uses the 'magic' parameter to associate the API request to the firewall session that triggered the original redirect and triggers a RADIUS authentication request to the FortiAuthenticator using the username and password from the API request.

 

- FortiAuthenticator verifies the credentials from the RADIUS authentication request.

If valid, it returns a RADIUS Access-Accept response containing the appropriate RADIUS attributes.

 

- FortiGate/FortiWiFi redirects the end-user browser to a website.

The specific website depends on the FortiGate/FortiWiFi.

Related articles

Technical Tip: How to configure FortiGate Captive Portal via FortiAuthenticator

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD52850&sliceId=...)

Contributors