FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kush_Patel
Staff
Staff
Article Id 296728
Description This article describes step-by-step instructions to implement a guest network solution based on FortiOS using a tunnel mode SSID with HPE Aruba ClearPass version 6.11.6 as a captive portal.
Scope FortiGate 7.0 and above.
Solution

Configuration on FortiGate:

 

  1. Create ClearPass as a RADIUS server for the MAC-Caching part:

 radiusssss.png

 
  1. Create a user-group that ClearPass will return after authentication is successful, it is ‘Guest-Users’ in this scenario.

 usrgrp.PNG

 

In the CLI:

 

config user group

edit "Guest-Users"

set member "ClearPass-Radius-SRV"

config match

edit 1

set server-name "ClearPass-Radius-SRV"

set group-name "Guest-Users"

next

end

next

end

 

  1. Now create the SSID in tunnel mode as shown below:

    In the GUI:

 SSID_config_1.PNG

 

SSID_config_2.PNG

 

In the CLI:

 

config wireless-controller vap

edit "FortinetGuest"

set ssid "FortinetGuest"

set security captive-portal

set external-web "fqdn-to-clearpass-guest-portal/guest/pagename.php" <- The URL of the web server hosting login page.

set mac-auth-bypass enable <- This is to allow MAC Caching (MAC authentication bypass).

set selected-usergroups "Guest-Users"

set security-exempt-list "FortinetGuest-exempt-list" <- This should allow http/https, dns, etc. to resolve the ClearPass server and any other exempt destinations/services being allowed before signing on to the guest network.

set auth-cert "name-of-ssl-cert"

set auth-portal-addr "fqdn-to-dns-name-of-fortigate-guest-ssid-ip"

set schedule "always"

next

end

 

Login/splash page hosted on an External Web Server:

 

  • Use to collect username and password of users.
  • Submit the user credentials directly to FortiGate via a post method.
  • When FortiGate receives the client credentials, FortiGate starts the authentication phase.
  • When the client is authorized, the client will be able to access the allowed network.

 

  1. Global configuration if using only one FQDN for SSID for captive portal authentication on FortiGate:

 

config user setting

set auth-type https  <- Supported firewall policy authentication protocols/methods.

set auth-cert "name-of-ssl-cert"  <- HTTPS server certificate for policy authentication.

set auth-secure-http enable  <- Enable/disable redirecting HTTP user authentication to more secure HTTPS.

set auth-ssl-allow-renegotiation enable  <- Allow/forbid SSL re-negotiation for HTTPS authentication.

set auth-on-demand always  <- Always/implicitly trigger firewall authentication on demand.

end

 

config firewall auth-portal

set portal-addr "fqdn-to-dns-name-of-fortigate-ssid-ip"   <- Address (or FQDN) of the authentication portal.

end

 

If more SSIDs would require different FDQNs, it may be better to configure this on the SSID itself as above (see step 3).

 

  1. Configure Firewall policies to allow access to users connected to SSID:


policyexempt.PNG

 

Here, an exemption has been configured for the top policy (‘To the ClearPass’) so that users can connect to the login page portal without authentication. If needed, some allowed websites can also be configured as exemption.

 

config firewall policy

    edit 7

        set name "To the ClearPass"

        set srcintf "FortinetGuest"

        set dstintf "port7"

        set action accept

        set srcaddr "all"

        set dstaddr "to-clearpass-guest-portal-login-page"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

        set captive-portal-exempt enable

    next

end

 

An exemption can also be configured as described in the following articles:

 

 

Notes:

 

It is a prerequisite to have proper certificates signed by a public CA (Certificate Authority) installed on both the FortiGate and on the ClearPass guest portal to avoid warnings when clients connect to the guest network. The certificate may be a wildcard certificate or unique to the two devices. Failing to use a public signed certificate may cause connection warnings and failure to successfully connect to the guest network.

 

Refer to the following articles for certificate-warning related issues:

 

 

Configuration on the ClearPass policy server:

 

Two services (MAC Caching and then Guest Registration) must be configured on the ClearPass Policy Server.

 

  1. Configure the MAC Caching Service as shown below:

 

mac-caching-server.png

 

  1. The role mapping shown below is to allow the 'MAC Caching' role. The rest is the same as a regular guest role mapping.

 role-mapping.png

 

  1. Create the enforcement policy to allow access for a valid guest account without requiring a Captive Portal:

 

enforcemenet.png

 

Note that the 'Guest-Users' being sent need to match with the user-group (Guest-Users) created on the FortiGate earlier. Additionally, send the User-Name to see it on the FortiGate when looking at the users.

 

  1. Configure Guest Registration as shown here:

 guest-registration.png

 

Note the NAS-IP-Address where the FortiGate is included in the group.

 

  1. Create a Standard Guest Role Mapping Rule:

 guest-role.png

 

  1. Create the Standard guest enforcement, which sends the 'Guest-User' over to FortiGate and updates the account expiration time:

 

self-reg.png

 

  1. Configure the following as per the expectations (for the guest portal settings, if sponsor-based portal is desired, send SMS etc. like always and, for the NAS vendor settings, just use the default Fortinet FortiGate):

 tunnel-guest.png

 

It is still possible to use the previously used 'Custom' settings, but it is necessary to add the details in the 'Extra Fields' settings like this:

 

customize-self-reg.png

 

Note that the 'Submit URL:' section is the IP or FQDN of the FortiGate Guest Interface. It is highly recommended to use https port 1003 for the captive portal. However, when using http, ensure that the port number being used is 1000.

 

If a different port needs to be configured, change it using the following commands and the relevant article linked below:

 

config system global

set auth-http-port X (default value is port 1000 for http)

set auth-https-port Y (default value is port 1003 for https)

end

 

Technical Tip: Change the captive portal port.

 

Troubleshooting commands:

 

diagnose debug reset

diagnose debug disable

diagnose debug application fnbamd -1

diagnose debug enable