Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external captive portal on Tunnel mode SSID

Kush_Patel · ‎01-30-2024

Description

This article describes step-by-step instructions to implement a guest network solution based on FortiOS using a tunnel mode SSID with HPE Aruba ClearPass version 6.11.6 as a captive portal.

Scope

FortiGate 7.0 and above.

Solution

Configuration on FortiGate:

Create ClearPass as a RADIUS server for the MAC-Caching part:

Create a user-group that ClearPass will return after authentication is successful, it is ‘Guest-Users’ in this scenario.

In the CLI:

config user group

edit "Guest-Users"

set member "ClearPass-Radius-SRV"

config match

edit 1

set server-name "ClearPass-Radius-SRV"

set group-name "Guest-Users"

Now create the SSID in tunnel mode as shown below:

In the GUI:

In the CLI:

config wireless-controller vap

edit "FortinetGuest"

set ssid "FortinetGuest"

set security captive-portal

set external-web "fqdn-to-clearpass-guest-portal/guest/pagename.php" <- The URL of the web server hosting login page.

set mac-auth-bypass enable <- This is to allow MAC Caching (MAC authentication bypass).

set selected-usergroups "Guest-Users"

set security-exempt-list "FortinetGuest-exempt-list" <- This should allow http/https, dns, etc. to resolve the ClearPass server and any other exempt destinations/services being allowed before signing on to the guest network.

set auth-cert "name-of-ssl-cert"

set auth-portal-addr "fqdn-to-dns-name-of-fortigate-guest-ssid-ip"

set schedule "always"

Login/splash page hosted on an External Web Server:

Use to collect username and password of users.
Submit the user credentials directly to FortiGate via a post method.
When FortiGate receives the client credentials, FortiGate starts the authentication phase.
When the client is authorized, the client will be able to access the allowed network.

Global configuration if using only one FQDN for SSID for captive portal authentication on FortiGate:

config user setting

set auth-type https <- Supported firewall policy authentication protocols/methods.

set auth-cert "name-of-ssl-cert" <- HTTPS server certificate for policy authentication.

set auth-secure-http enable <- Enable/disable redirecting HTTP user authentication to more secure HTTPS.

set auth-ssl-allow-renegotiation enable <- Allow/forbid SSL re-negotiation for HTTPS authentication.

set auth-on-demand always <- Always/implicitly trigger firewall authentication on demand.

end

config firewall auth-portal

set portal-addr "fqdn-to-dns-name-of-fortigate-ssid-ip" <- Address (or FQDN) of the authentication portal.

end

If more SSIDs would require different FDQNs, it may be better to configure this on the SSID itself as above (see step 3).

Configure Firewall policies to allow access to users connected to SSID:

Here, an exemption has been configured for the top policy (‘To the ClearPass’) so that users can connect to the login page portal without authentication. If needed, some allowed websites can also be configured as exemption.

config firewall policy

edit 7

set name "To the ClearPass"

set srcintf "FortinetGuest"

set dstintf "port7"

set action accept

set srcaddr "all"

set dstaddr "to-clearpass-guest-portal-login-page"

set schedule "always"

set service "ALL"

set logtraffic all

set nat enable

set captive-portal-exempt enable

An exemption can also be configured as described in the following articles:

Notes:

It is a prerequisite to have proper certificates signed by a public CA (Certificate Authority) installed on both the FortiGate and on the ClearPass guest portal to avoid warnings when clients connect to the guest network. The certificate may be a wildcard certificate or unique to the two devices. Failing to use a public signed certificate may cause connection warnings and failure to successfully connect to the guest network.

Refer to the following articles for certificate-warning related issues:

Configuration on the ClearPass policy server:

Two services (MAC Caching and then Guest Registration) must be configured on the ClearPass Policy Server.

Configure the MAC Caching Service as shown below:

The role mapping shown below is to allow the 'MAC Caching' role. The rest is the same as a regular guest role mapping.

Create the enforcement policy to allow access for a valid guest account without requiring a Captive Portal:

Note that the 'Guest-Users' being sent need to match with the user-group (Guest-Users) created on the FortiGate earlier. Additionally, send the User-Name to see it on the FortiGate when looking at the users.

Configure Guest Registration as shown here:

Note the NAS-IP-Address where the FortiGate is included in the group.

Create a Standard Guest Role Mapping Rule:

Create the Standard guest enforcement, which sends the 'Guest-User' over to FortiGate and updates the account expiration time:

Configure the following as per the expectations (for the guest portal settings, if sponsor-based portal is desired, send SMS etc. like always and, for the NAS vendor settings, just use the default Fortinet FortiGate):

It is still possible to use the previously used 'Custom' settings, but it is necessary to add the details in the 'Extra Fields' settings like this:

Note that the 'Submit URL:' section is the IP or FQDN of the FortiGate Guest Interface. It is highly recommended to use https port 1003 for the captive portal. However, when using http, ensure that the port number being used is 1000.

If a different port needs to be configured, change it using the following commands and the relevant article linked below:

config system global

set auth-http-port X (default value is port 1000 for http)

set auth-https-port Y (default value is port 1003 for https)

end

Technical Tip: Change the captive portal port.

Troubleshooting commands:

diagnose debug reset

diagnose debug disable

diagnose debug application fnbamd -1

diagnose debug enable