Description | This article describes step-by-step instructions to implement a guest network solution based on FortiOS using a tunnel mode SSID with HPE Aruba ClearPass version 6.11.6 as a captive portal. |
Scope | FortiGate 7.0 and above. |
Solution |
Configuration on FortiGate:
In the CLI:
config user group edit "Guest-Users" set member "ClearPass-Radius-SRV" config match edit 1 set server-name "ClearPass-Radius-SRV" set group-name "Guest-Users" next end next end
In the CLI:
config wireless-controller vap edit "FortinetGuest" set ssid "FortinetGuest" set security captive-portal set external-web "fqdn-to-clearpass-guest-portal/guest/pagename.php" <- The URL of the web server hosting login page. set mac-auth-bypass enable <- This is to allow MAC Caching (MAC authentication bypass). set selected-usergroups "Guest-Users" set security-exempt-list "FortinetGuest-exempt-list" <- This should allow http/https, dns, etc. to resolve the ClearPass server and any other exempt destinations/services being allowed before signing on to the guest network. set auth-cert "name-of-ssl-cert" set auth-portal-addr "fqdn-to-dns-name-of-fortigate-guest-ssid-ip" set schedule "always" next end
Login/splash page hosted on an External Web Server:
config user setting set auth-type https <- Supported firewall policy authentication protocols/methods. set auth-cert "name-of-ssl-cert" <- HTTPS server certificate for policy authentication. set auth-secure-http enable <- Enable/disable redirecting HTTP user authentication to more secure HTTPS. set auth-ssl-allow-renegotiation enable <- Allow/forbid SSL re-negotiation for HTTPS authentication. set auth-on-demand always <- Always/implicitly trigger firewall authentication on demand. end
config firewall auth-portal set portal-addr "fqdn-to-dns-name-of-fortigate-ssid-ip" <- Address (or FQDN) of the authentication portal. end
If more SSIDs would require different FDQNs, it may be better to configure this on the SSID itself as above (see step 3).
Here, an exemption has been configured for the top policy (‘To the ClearPass’) so that users can connect to the login page portal without authentication. If needed, some allowed websites can also be configured as exemption.
config firewall policy edit 7 set name "To the ClearPass" set srcintf "FortinetGuest" set dstintf "port7" set action accept set srcaddr "all" set dstaddr "to-clearpass-guest-portal-login-page" set schedule "always" set service "ALL" set logtraffic all set nat enable set captive-portal-exempt enable next end
An exemption can also be configured as described in the following articles:
Notes:
It is a prerequisite to have proper certificates signed by a public CA (Certificate Authority) installed on both the FortiGate and on the ClearPass guest portal to avoid warnings when clients connect to the guest network. The certificate may be a wildcard certificate or unique to the two devices. Failing to use a public signed certificate may cause connection warnings and failure to successfully connect to the guest network.
Refer to the following articles for certificate-warning related issues:
Configuration on the ClearPass policy server:
Two services (MAC Caching and then Guest Registration) must be configured on the ClearPass Policy Server.
Note that the 'Guest-Users' being sent need to match with the user-group (Guest-Users) created on the FortiGate earlier. Additionally, send the User-Name to see it on the FortiGate when looking at the users.
Note the NAS-IP-Address where the FortiGate is included in the group.
It is still possible to use the previously used 'Custom' settings, but it is necessary to add the details in the 'Extra Fields' settings like this:
Note that the 'Submit URL:' section is the IP or FQDN of the FortiGate Guest Interface. It is highly recommended to use https port 1003 for the captive portal. However, when using http, ensure that the port number being used is 1000.
If a different port needs to be configured, change it using the following commands and the relevant article linked below:
config system global set auth-http-port X (default value is port 1000 for http) set auth-https-port Y (default value is port 1003 for https) end
Technical Tip: Change the captive portal port.
Troubleshooting commands:
diagnose debug reset diagnose debug disable diagnose debug application fnbamd -1 diagnose debug enable |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.