Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
smayank
Staff
Staff

Created on ‎11-25-2025 11:59 PM Edited on ‎11-27-2025 05:07 AM By Moderator

Article Id 420306

Technical Tip: Guest captive portal flow with Cisco ISE

Description This article describes the guest captive portal flow with Cisco ISE.
Scope FortiGate, Cisco ISE.
Solution

Guest captive portal authentication flows work in different phases with FortiGate.

Initially, FortiGate redirects to the guest captive portal, and once the user can authenticate successfully with the guest username and password, it maps the entry with IP to MAC Address.

 

If the user's MAC address entry is showing on FortiGate, that can be an issue, and this indicates authentication is not yet successful, and the user will not be able to browse the internet, as the policy is configured with a group.

 

diagnose firewall auth list

192.168.0.1, 9C-B1-50-8E-AD-64
type: other, id: 0, duration: 96, idled: 0
flag(10): radius
server: OPs-ISE-01
packets: in 1663 out 258, bytes: in 947394 out 28922

 

The above output shows that authentication is not yet successful, as there is no group information mapped with it.

After the user provides credentials, FortiGate generates a RADIUS request with the username as a MAC address.

 

Sniffer output:

 

RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0x4a (74)
Length: 236
Authenticator: 784333a1f5015a560258db3e039e07cd
[The response to this request is in frame 2]
Attribute Value Pairs
AVP: t=User-Name(1) l=19 val=9C-B1-50-8E-AD-64
Type: 1
Length: 19
User-Name: 9C-B1-50-8E-AD-64
AVP: t=User-Password(2) l=34 val=Encrypted
AVP: t=Calling-Station-Id(31) l=19 val=9C-B1-50-8E-AD-64
AVP: t=NAS-IP-Address(4) l=6 val=0.0.0.0
AVP: t=NAS-Identifier(32) l=30 val=192.168.0.1,/5246-GUEST-TEST
AVP: t=Called-Station-Id(30) l=33 val=78-18-EC-70-5E-B8:OPS-Guest-new
AVP: t=NAS-Port-Type(61) l=6 val=Wireless-802.11(19)
AVP: t=Service-Type(6) l=6 val=Call-Check(10)
AVP: t=Vendor-Specific(26) l=21 vnd=Fortinet, Inc.(12356)
AVP: t=Vendor-Specific(26) l=24 vnd=Fortinet, Inc.(12356)
AVP: t=Message-Authenticator(80) l=18 val=c9f72513a599d9c92178fd19f7e72006

 

If the end-user is able to access the guest portal and log in successfully, the next step would be a change of authorization to give full guest access to the user.

After the above, ISE should trigger COA towards FortiGate, and FortiGate should respond to it, and FortiGate clears the old session. CoA is what makes the network immediately change the user’s access level after they complete the ISE guest portal process.

 

To enable the CoA, use the following commands:

 

config user radius

    edit "radius server"

        set radius-coa enable <-----
    end

 

FortiGate re-authenticates the user to ISE:

FortiGate asks ISE for:

  • Group.
  • VLAN.
  • Role.
  • Firewall information.

 

Those come in RADIUS Access-Accept.

 

Related articles:

Technical Tip: RADIUS attributes sent to the server by the FortiGate as a RADIUS client

Technical Tip: Restricting RADIUS connections based on the 'Connect Info' attribute on FortiGate and...

Technical Tip: RADIUS COA behavior
91
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.