Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external captive portal on Bridge mode SSID

Configuration on FortiGate:

1. Follow steps 1 and 2 in Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external ...
   
   
2. Create a VLAN41 interface as a part of internal interface 3 (or any internal interface desired for use for Bridge SSID):
   
   In the GUI:

In the CLI:

config system interface

edit "VLAN41"

set vdom "root"

set ip 10.10.41.41 255.255.255.0

set allowaccess ping radius-acct

set security-mode captive-portal

set security-mac-auth-bypass enable <- This is to allow MAC Caching (MAC authentication bypass).

set security-external-web "fqdn-to-clearpass-guest-portal/guest/pagename.php" <- The URL of the web server hosting login page.

set auth-cert "name-of-ssl-cert"

set auth-portal-addr "fqdn-to-dns-name-of-fortigate-vlan-ip"

set security-exempt-list "VLAN41-exempt-list" <- This should allow http/https, dns, etc. to resolve the ClearPass server and any other exempt destinations/services being allowed before signing on to the guest network.

set security-groups "Guest-Users"

set device-identification enable

set role lan

set snmp-index 21

set interface "port3"

set vlanid 41

next

end

Login/splash page hosted on an External Web Server:

• Use it to collect the usernames and passwords of users.
• Submit the user credentials directly to FortiGate via a post method.
• When FortiGate receives the client credentials, FortiGate starts the authentication phase.
• When the client is authorized, the client will be able to access the allowed network.

3. Create the SSID in bridge mode as shown below:

In the GUI:

In the CLI:

config wireless-controller vap

edit "Bridge_Guest"

set ssid "FortiBridgeGuest"

set security owe (or open)

set pmf enable

set mbo enable

set local-bridging enable

set intra-vap-privacy enable

set schedule "always"

set vlanid 41

set probe-resp-suppression enable

set sticky-client-remove enable

next

end

• security: Security mode for the wireless interface (Open or OWE- Opportunistic wireless encryption).
• pmf: Protected Management Frames (PMF) support (default = disable).
• mbo: Enable/disable Multiband Operation (default = disable).
• intra-vap-privacy: Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).
• probe-resp-suppression: Enable/disable probe response suppression (to ignore weak signals) (default = disable).
• sticky-client-remove: Enable/disable sticky client. Remove this to maintain good signal level clients in SSID (default = disable).

Notes:

It is recommended to use OWE (Opportunistic Wireless Encryption) on the SSID to enable strong encryption between the wireless client and the access point. However, because not all clients support it, it is also viable to use the Open (unencrypted) option under 'Security Mode Settings'.

4. Follow steps 4 and 5 in Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external ...

Configuration on the ClearPass policy server:

Two services (MAC Caching and then Guest Registration) must be configured on the ClearPass Policy Server.

1. Configure MAC Caching Service as shown below:
   
   

2. Follow steps 2 and 3 under 'Configuration on the ClearPass policy server' in Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external ...

    

    

3. Configure Guest Registration as shown here:

    

   

    

   Note that NAS-IP-Address is where the FortiGate is included in the group.

    

    

4. Create a Standard Guest Role Mapping Rule:

    

   

5. Create the Standard guest enforcement, which sends the 'Guest-User' over to FortiGate and updates the account expiration time:

    

   

    

6. Configure the following as per the expectations (for the guest portal settings, if the sponsor-based portal is desired, send SMS, etc. like always, and, for the NAS vendor settings, just use the default Fortinet FortiGate):

    

   

   
   It is still possible to use the previously used 'Custom' settings, but it is necessary to add the details in the 'Extra Fields' settings like this:

    

   

    

   Note that the 'Submit URL:' section is the IP or FQDN of the FortiGate Guest Interface. It is highly recommended to use https port 1003 for the captive portal. However, when using HTTP, ensure that the port number being used is 1000.

    

   If a different port needs to be configured, change it using the following commands and the relevant article linked below:

    

   config system global

   set auth-http-port X (default value is port 1000 for http)

   set auth-https-port Y (default value is port 1003 for https)

   end

   
   

   Technical Tip: Change the captive portal port

    

Troubleshooting commands:

diagnose debug reset

diagnose debug disable

diagnose debug application fnbamd -1

diagnose debug enable