FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadzada
Staff
Staff
Article Id 225875
Description

This article describes the improvement, which was implemented and allows the configuration of multiple addresses for the authentication portal.

Scope

FortiGate v7.0.6 and newer versions.

Solution

Previous versions of the FortiOS did not allow configuring multiple addresses for the authentication portal.

 

It was possible to configure the address for the authentication portal globally:

 

config firewall auth-portal

    set portal-addr "fgt.test.lab"

end

 

The FQDN is used in case the captive portal uses a secure-redirect to the FortiGate interface on port 1003, encrypting the connection with TLS (HTTPS). With HTTP unencrypted captive portals on FortiGate, this is not required. However, some browsers may show a warning that the traffic will be transmitted over an insecure connection. Using the encrypted variant will avoid that, but requires the use of an FQDN that would be covered by the SubjectAlternativeName on the HTTPS certificate, used in the Authentication settings on FortiGate.

 

Starting from FortiOS 7.0.6, an improvement was implemented so the addresses for the authentication portal can also be configured under the interface(s), which are configured as a captive portal.

An example below:

 

    edit "port2"

        set vdom "root"

        set ip 192.168.100.1 255.255.255.0

        set allowaccess ping https http

        set type physical

        set security-mode captive-portal

        set auth-portal-addr "fgt.captive1.test.lab"

        set snmp-index 2

    next

 

    edit "port3"

        set vdom "root"

        set ip 192.168.200.1 255.255.255.0

        set allowaccess ping

        set type physical

        set security-mode captive-portal

        set auth-portal-addr "fgt.captive2.test.lab"

        set snmp-index 3

    next

 

As a result, now the captive portal configured on two interfaces can have separate addresses of the authentication portals, which will be resolved according to the IP address of the interface.

 

Separate authentication portals can be set on SSID interfaces too as shown below.

 

config wireless-controller vap
    edit "SSID1"
        set ssid "captive1"
        set security captive-portal
        set auth-portal-addr "fgt.captive1.test.lab"
        set schedule "always"
    next
        edit "SSID2"
            set ssid "captive2"
            set security captive-portal
            set auth-portal-addr "fgt.captive2.test.lab"
            set schedule "always"
        next
    end