Configuration on FortiGate:

1. Follow steps 1 and 2 in Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external ...
   
   
2. On the FortiGate, select the interface that bridge mode clients will communicate with. In the following example, VLAN41 (under physical interface port3) will be used for clients connecting to the bridge mode SSID
   
   

In the GUI:

In the CLI:

config system interface

edit "VLAN41"

set vdom "root"

set ip 10.10.41.41 255.255.255.0

set allowaccess ping radius-acct

set security-mode captive-portal

set security-mac-auth-bypass enable <----- This is to allow MAC Caching (MAC authentication bypass).

set security-external-web "fqdn-to-clearpass-guest-portal/guest/pagename.php" <- The URL of the web server hosting login page.

set auth-cert "name-of-ssl-cert"

set auth-portal-addr "fqdn-to-dns-name-of-fortigate-vlan-ip"

set security-exempt-list "VLAN41-exempt-list" <----- This should allow http/https, dns, etc. to resolve the ClearPass server and any other exempt destinations/services being allowed before signing on to the guest network.

set security-groups "Guest-Users"

set device-identification enable

set role lan

set snmp-index 21

set interface "port3"

set vlanid 41

next

end

Login/splash page hosted on an External Web Server:

• Use it to collect the usernames and passwords of users.
• Submit the user credentials directly to FortiGate via a post method.
• When FortiGate receives the client credentials, FortiGate starts the authentication phase (see also: Troubleshooting Tip: General captive portal explanation, flow and troubleshooting).
• When the client is authorized, the client will be able to access the allowed network.

Note regarding security-mac-auth-bypass:

• The security-mac-auth-bypass setting on the FortiGate is used in conjunction with MAC caching/MAC Authentication Bypass (MAB) on the Clearpass server. Clearpass can cache the Source MAC address associated with the client's Source IP for an admin-defined period of time, and if the user needs to reauthenticate to the FortiGate for some reason, then they can bypass the captive portal page and be authenticated immediately with their MAC address.
• This is useful if the FortiGate's auth-timeout is short and the Clearpass MAC caching is longer (for example, the FortiGate may timeout the Firewall user entry after two hours but Clearpass caches the MAC address for 8 hours, allowing for seamless reauthentication for the user during the 8-hour period).
• This setting is also useful for devices that cannot handle captive portals (e.g. network printers).
• However, if the requirement is that users must always see and accept the captive portal, then it may be better to disable security-mac-auth-bypass, otherwise, users can simply authenticate via MAC address and bypass the external captive portal.

3. Create the SSID in bridge mode as shown below:

In the GUI:

In the CLI:

config wireless-controller vap

edit "Bridge_Guest"

set ssid "FortiBridgeGuest"

set security owe (or open)

set pmf enable

set mbo enable

set local-bridging enable

set intra-vap-privacy enable

set schedule "always"

set vlanid 41

set probe-resp-suppression enable

set sticky-client-remove enable

next

end

• security: Security mode for the wireless interface (Open or OWE- Opportunistic wireless encryption).
• pmf: Protected Management Frames (PMF) support (default = disable).
• mbo: Enable/disable Multiband Operation (default = disable).
• intra-vap-privacy: Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).
• probe-resp-suppression: Enable/disable probe response suppression (to ignore weak signals) (default = disable).
• sticky-client-remove: Enable/disable sticky client. Remove this to maintain good signal level clients in SSID (default = disable).

Note:

 It is recommended to use OWE (Opportunistic Wireless Encryption) on the SSID to enable strong encryption between the wireless client and the access point, even with an 'open' network. However, older clients may not support OWE, so alternatives include changing the security setting to open OR enabling owe-transition and specifying a fallback open SSID (see: FortiWiFi & FortiAP Config Guide - OWE Transition)

4. Follow steps 4 and 5 in Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external ...

Configuration on the ClearPass policy server:

Two services (MAC Caching and Guest Registration) must be configured on the ClearPass Policy Server.

1. Configure the MAC Caching Service as shown below:
   
   

2. Follow steps 2 and 3 under 'Configuration on the ClearPass policy server' in Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external ...

    

3. Configure Guest Registration as shown here:

    

   

    

    

Note that NAS-IP-Address is where the FortiGate is included in the group.

4. Create a Standard Guest Role Mapping Rule:

5. Create the Standard guest enforcement, which sends the 'Guest-User' over to FortiGate and updates the account expiration time:

    

   

    

6. Configure the following as per the expectations (for the guest portal settings, if the sponsor-based portal is desired, send SMS, etc., like always, and, for the NAS vendor settings, just use the default Fortinet FortiGate):

    

   

    

It is still possible to use the previously used 'Custom' settings, but it is necessary to add the details in the 'Extra Fields' settings like this:

Note that the 'Submit URL:' section is the IP or FQDN of the FortiGate Guest Interface. It is highly recommended to use https port 1003 for the captive portal. However, when using HTTP, ensure that the port number being used is 1000.

If a different port needs to be configured, change it using the following commands and the relevant article linked below:

config system global

set auth-http-port X (default value is port 1000 for http)

set auth-https-port Y (default value is port 1003 for https)

end

Related article:

Technical Tip: Change the captive portal port

Troubleshooting commands:

diagnose debug reset

diagnose debug disable

diagnose debug application fnbamd -1

diagnose debug enable