Configuration on FortiGate:

1. Create ClearPass as a RADIUS server for the MAC-Caching part:

2. Create a user group that ClearPass will return after authentication is successful; in this scenario, it is called ‘Guest-Users’.

In the CLI:

config user group
    edit "Guest-Users"

        set member "ClearPass-Radius-SRV"
            config match

                edit 1

                    set server-name "ClearPass-Radius-SRV"

                 set group-name "Guest-Users"

             next

            end

    next

end

3. Create the SSID in tunnel mode as shown below:
   
   

In the GUI:

In the CLI:

config wireless-controller vap

    edit "FortinetGuest"

        set ssid "FortinetGuest"

        set security captive-portal

        set external-web "https://fqdn-to-clearpass-guest-portal/guest/pagename.php" <- The URL of the web server hosting login page. It requires a valid certificate on the clearpass server.

        set mac-auth-bypass enable <- This is to allow MAC Caching (MAC authentication bypass).

        set selected-usergroups "Guest-Users"

        set security-exempt-list "FortinetGuest-exempt-list" <- This should allow DNS to resolve and access the ClearPass server and any other exempt destinations/services being allowed before signing on to the guest network.

        set auth-cert "name-of-ssl-cert"

        set auth-portal-addr "fqdn-to-dns-name-of-fortigate-guest-ssid-ip" <- local setting relevant for this firewall policy only.

        set schedule "always"

    next

end

Login/splash page hosted on an External Web Server:

• Use to collect usernames and passwords of users.
• Submit the user credentials directly to FortiGate via a post method.
• When FortiGate receives the user credentials, FortiGate starts the authentication phase.
• When the user is authorized, the user will be able to access the allowed network.

4. Global configuration if using only one FQDN for SSID for captive portal authentication on FortiGate:

config user setting

    set auth-type http https  <- Supported firewall policy authentication protocols/methods. Usually must include HTTP as captive portal detection by clients is based on unencrypted HTTP.

    set auth-cert "name-of-ssl-cert"  <- HTTPS server certificate for policy authentication.

    set auth-secure-http enable  <- Enable/disable redirecting HTTP user authentication to secure HTTPS.

    set auth-ssl-allow-renegotiation enable  <- Allow/forbid SSL re-negotiation for HTTPS authentication.

    set auth-on-demand always  <- Always/implicitly trigger firewall authentication on demand.

end

config firewall auth-portal

    set portal-addr "fqdn-to-dns-name-of-fortigate-ssid-ip"   <- Address (or FQDN) of the FortiGate.

end

Note:

For HTTPS, 'config firewall auth-portal' is required to be set with a resolvable FQDN for the FortiGate and a global setting.
This requirement does not change when an external captive portal is used. This still must reflect the FortiGate FQDN. It must not reflect the external captive portal.

At this step, the browser or operating system detects it is behind a captive portal, and a message similar to the example above may be displayed.

Related article:
Troubleshooting Tip: General captive portal explanation, flow and troubleshooting

If more SSIDs would require different FDQNs, it may be better to configure this on the SSID itself as above (see step 3).

5. Configure Firewall policies to allow access to users connected to SSID:

Here, an exemption has been configured for the top policy (‘To the ClearPass’) so that users can connect to the login page portal without authentication. If needed, some allowed websites can also be configured as exemptions.

config firewall policy

    edit 7

        set name "To the ClearPass"

        set srcintf "FortinetGuest"

        set dstintf "port7"

        set action accept

        set srcaddr "all"

        set dstaddr "to-clearpass-guest-portal-login-page"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

        set captive-portal-exempt enable

    next

end

An exemption can also be configured as described in the following articles:

Technical Tip: Captive Portal Exempt list

Troubleshooting Tip: Stop the captive portal triggering in another tab on a browser and prevent havi...

Note:

It is a prerequisite to have proper certificates signed by a public CA (Certificate Authority) installed on both the FortiGate and the ClearPass guest portal to avoid warnings when users connect to the guest network. The certificate may be a wildcard certificate or unique to the two devices. Failing to use a publicly signed certificate may cause connection warnings and failure to successfully connect to the guest network.

Refer to the following articles for certificate-warning-related issues:

Technical Tip: How to avoid certificate error message by chaining Root CA and Intermediate CA certif...

Technical Tip: Preventing certificate warnings using captive portal

Configuration on the ClearPass policy server:

Two services (MAC Caching and then Guest Registration) must be configured on the ClearPass Policy Server.

1. Configure the MAC Caching Service as shown below:

2. The role mapping shown below is to allow the 'MAC Caching' role. The rest is the same as a regular guest role mapping.

3. Create the enforcement policy to allow access for a valid guest account without requiring a Captive Portal:

The 'Guest-Users' being sent need to match with the user-group (Guest-Users) created on the FortiGate earlier. Additionally, send the User-Name to see it on the FortiGate when looking at the users.

4. Configure Guest Registration as shown here:

The NAS-IP-Address where the FortiGate is included in the group.

5. Create a Standard Guest Role Mapping Rule:

6. Create the Standard guest enforcement, which sends the 'Guest-User' over to FortiGate and updates the account expiration time:

7. Configure the following as per the expectations (for the guest portal settings, if sponsor-based portal is desired, send SMS, etc., like always, and, for the NAS vendor settings, just use the default Fortinet FortiGate):

It is still possible to use the previously used 'Custom' settings, but it is necessary to add the details in the 'Extra Fields' settings like this:

The 'Submit URL:' section is the IP or FQDN of the FortiGate Guest Interface. It is highly recommended to use https port 1003 for the captive portal (implied by auth-secure-http enable). However, when using HTTP, ensure that the port number being entered is 1000.

If a different port needs to be configured, change it using the following commands and the relevant article linked below:

config system global

    set auth-http-port X <-- Default value is port 1000 for HTTP.

    set auth-https-port Y <-- Default value is port 1003 for HTTPS.

end

Related article:

Technical Tip: Change the captive portal port

Troubleshooting steps:

diagnose sniffer packet any 'host xxx.xxx.xxx.xxx' 6 0 a      <--- Replace the xxx.xxx.xxx.xxx with the Host IP address.

Otherwise, Packet Capture (PCAP) from FortiGate GUI shows the DNS and handshakes towards FortiGate and the external Captive portal subsequently.