Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JaskiratM
Staff
Staff

Created on ‎10-19-2022 09:02 AM

Article Id 227196

Technical Tip: Same FQDN resolution to different SSID interface IPs for Captive Portal Authentication

Description

 

This article describes on how to point the same FQDN to 2 or more SSID captive portals having different interface IPs. The end users will only see the FQDN as the captive portal address instead of the interface IP in 2 or more SSIDs deployed in the network.

 

Scope

 

FortiGate with a managed FortiAP connected to the unit and having 2 tunnel mode SSID’s configured (testcaptive and testcaptive2). Both the SSID’s have a captive portal for authentication with different Interface IPs resolving to the same FQDN.

SSID

INTERFACE IP

TestCaptive

192.164.1.1

TestCaptive2

192.168.144.1

 

Solution

 

1) Set up the firewall auth-portal address from the CLI of the FortiGate:

# config firewall auth-portal

     set portal-addr "portal.example.org"

  end

2) Set the SSIDs in the Wifi and switch controller section. Follow the article below to configure the SSIDs.

 

https://docs.fortinet.com/document/fortiap/7.2.1/fortiwifi-and-fortiap-configuration-guide/292926/ca...

 

3) Once the SSIDs are created, make sure the DNS Server option under DHCP server is set to same as interface IP.

 

JaskiratM_0-1666192800225.png

 

4) The Security mode settings of the SSIDs can have the authentication type as local or External and the user group defined (if needed).

 

JaskiratM_1-1666192825961.png

 

5) Enable the DNS database from the feature visibility if not already enabled. Open the System - > Feature Visibility screen and enable DNS Database. Select Network - > DNS Servers. Set up the DNS Service on the interface. Select 'Create new' and select the interface and set mode to be recursive.

JaskiratM_2-1666192841781.png

 

Replicate it for the other SSID (SSIDs if more than one is present) as well.

 

JaskiratM_3-1666192841782.png

 

6) Add the Entry for 'portal.example.org' in the DNS DATABASE. Select Network - > DNS Servers - > DNS Database - > Create New. Fill out the DNS Zone details as below:

 

JaskiratM_4-1666192874911.png

 

 Add two entries for the respective SSID interface IPs. Select 'Create New' under DNS database and fill out the details as follows:

 

JaskiratM_5-1666192874912.png

 

Replicate the same for the Interface IP of the other SSID:

 

JaskiratM_6-1666192901597.png

 

7) When connected to any one of the SSID’s (captivetest and captivetest2) the authentication page should show portal.example.org in both the cases:

 

OUTPUT connecting to testcaptive:

 

JaskiratM_7-1666192901602.jpeg

 

OUTPUT when connecting to captivetest2

 

JaskiratM_8-1666192926752.jpeg

 

Related document:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/15882/creating-an-ssid

1495
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.