Description
This article provides a comprehensive guide to setting up an external captive portal on FortiGate using FortiAuthenticator (FAC), enabling seamless and secure user authentication. Additionally, the article provides valuable insights into basic troubleshooting steps, aiding in the quick resolution of common issues that may arise during setup or deployment.
Scope
FortiGate, FortiAuthenticator.
Solution
Here on FortiGate port4 is the LAN interface where captive portal configuration has been done
- Interface IP
Go to Network -> Interfaces.
- Captive Portal config on FortiGate LAN interface.
Go to Network -> Interfaces.
Here 10.5.133.28 is the FortiAuthenticator IP address.
- Setup radius server on FortiGate
Go to User & Authentication -> Radius Servers.
- Configure User group on FortiGate.
Go to User & Authentication -> User Groups.
Note:
Firewall policy is required from LAN to WAN.
Make sure the FortiAuthenticator IP 10.5.133.28 is reachable from the FortiGate.
Now coming to the configuration on FortiAuthenticator.
- Setup Radius client on FortiAuthenticator.
Go to Authentication -> Radius Service -> Clients.
Set up Device FQDN (either the FQDN or IP can be set up).
Whether FQDN or IP is set up here, the same address will be used as external captive portal page.
Here, the users are from LDAP and remote sync has been done to import the user on the FortiAuthenticator.
- Enable captive portal service under interface
Go to Network -> Interface -> Services.
- Create user group on FortiAuthenticator.
Go to Authentication -> User Groups -> User Groups.
- Access Point.
Go to Authentication -> Portals -> Access Points.
Here, the client address would be the FortiGate interface IP address where captive portal is configured.
- Portal.
Go to Authentication -> Portals -> Portals.
- Policies.
Go to Authentication -> Portals -> Policies -> Captive Portal.
Here the URL IP/FQDN would be the same as the one that was set up on the FortiAuthenticator dashboard -> FQDN.
Here the operator is selected as an IP range, so under value, specify the 'subnet' of the FortiGate interface where the Captive Portal will be activated.
Select the RADIUS client and access point set up in the previous step.
Set up the authentication type.
Select the respective identity source.
- Go to the user machine, access the internet, and the Captive Portal page should appear.
The disclaimer page appears initially. After selecting 'Yes, I agree', it will redirect to the captive portal page.
Once authenticated with the correct credentials, the user will be able to access the internet.
The logout page can be enabled on the user's browser to allow logout after enabling auth-keepalive in the FortiGate global settings.
config system global
set auth-keepalive enable
end
diagnose firewall auth list
172.31.133.100, usera
src_mac: 00:67:72:61:5e:01
type: fw, id: 0, duration: 155, idled: 0
expire: 35845
flag(814): hard radius no_idle
server: Radius-Srv
packets: in 183 out 142, bytes: in 134833 out 27063
group_id: 6
group_name: radius_captive
----- 1 listed, 0 filtered ------
- Troubleshooting Tips.
On FortiGate:
diagnose firewall auth list
diagnose sniffer packet any 'host 10.5.133.28' 4 0 l >> where 10.5.133.28 is the FortiAuthenticator external IP
diagnose debug application fnbamd -1
diagnose debug application radiusd -1
diagnose debug enable
On FortiAuthenticator:
Go to Logging -> Log Access -> Logs.
Raw log and summary log can be downloaded.
Raw log and summary log can be downloaded.
Packet capture can be taken for radius connectivity between FortiGate and FortiAuthenticator and LDAP connectivity between FortiAuthenticator and the AD Server.
Refer to this article for packet capture on FortiAuthenticator.
https://<FAC IP>/debug/radius/ <- RADIUS auth debug can be checked from here.
