| Description | This article describes how to use FortiNAC-F Captive Portal with Entra ID SSO. |
| Scope | FortiNAC-F and Entra ID. |
| Solution |
This article assumes that the basic configuration of FortiNAC-F has been completed.
FortiNAC-F: Under Network -> Service Connectors, select Create New, and select User SAML SSO. Under Basics, enter the Name for the Service Connector. Under Service Provider Settings, Download the SP Metadata File.
Entra ID: Under Enterprise applications, select New application, select Create the application, enter the Name for the application, and select Create.
Under Overview, select Assign users and groups, select Add user/group, select None Selected, select users and/or groups, and select Assign.
Under Overview, select Set up single sign-on, select SAML, select Upload metadata file, select the previously downloaded SP Metadata File, and select Add.
Copy the Reply URL at Index 0 to Sign on URL (Optional), and select Save.
Under Attributes & Claims, select Edit, select Add a group claim, select All groups, and select Save.
Under SAML Certificates, download Federation Metadata XML.
FortiNAC-F: Under Identity Provider Settings, select Choose File, select the previously downloaded Federation Metadata XML, select Upload, and select the IDP Certificate.
Under Attribute Mapping, select username, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name for IdP Attribute Name, and select OK.
Select Create New, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname for IdP Attribute Name, select Last Name for FortiNAC Attribute Name, and select OK.
Select Create New, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname for IdP Attribute Name, select First Name for FortiNAC Attribute Name, and select OK.
Note that the User ID attribute is mandatory; however, all other attributes are optional. Add additional attributes if required.
Select OK to complete the configuration of the Service Connector.
Under Portal -> Portal Configuration, select Portal, select Configuration, select Global, select Global Properties, and select Settings. Under Login Type Options, select the previously created Service Connector for Standard User Login Type, and select Save.
Note that other customizations can be made to the captive portal if required.
Under System -> Settings -> Control -> Allowed Domains, select Add Domain, add each of the following domains, select OK, and select Save Settings.
Note that other domains or subdomains can be added to the Allowed Domains if required. The command execute tcpdump -vi port2 host <isolated-host-ip-address> and port 53 can be used to sniff the traffic between the isolated host and the FortiNAC-F port2 interface.
Rogue Device: On the Captive Portal, select User, enter Entra ID credentials, and select Continue to register the rogue device.
FortiNAC-F: Under Users & Hosts -> User Accounts, verify that the user account is created with the type SSO User and that any previously configured user attributes are present.
(Optional) User Group Assignment.
Entra ID: Under Microsoft Entra ID, select Groups, select All groups, search for a group that the user is a member of, and copy the Object ID.
FortiNAC-F: Under System -> Groups, select Add, enter a Name, select User for Member Type, and select OK.
Under Network -> Service Connectors, select the previously created Service Connector. Under User Group Assignment, enable Custom User Group Mapping, enter http://schemas.microsoft.com/ws/2008/06/identity/claims/groups for IdP Attribute Name, select Create New, select the previously created local user group for User Group, enter the previously copied Object ID for IdP Attribute Value, and select OK.
Select OK to update the configuration of the Service Connector.
Under Users & Hosts -> User Accounts, select the previously created user account, select Delete, and select Yes to deregister the device.
Rogue Device: On the Captive Portal, select User, enter Entra ID credentials, and select Continue to reregister the rogue device.
FortiNAC-F: Under System -> Groups, verify that the user is assigned to the group.
(Optional) SP Certificate.
FortiNAC-F: Under System -> Certificate Management, select Generate CSR, select New SAML Target for Certificate Target, and populate the fields accordingly to create a SAML certificate target.
Either submit the CSR to a CA to sign and upload the certificate, or copy a certificate from an existing certificate target to the previously created SAML certificate target.
Note that for 1+1 high-availability deployments, the SAML certificate target and certificate must be present on both the active and standby appliances.
Under Network -> Service Connectors, select the previously created Service Connector, enable SP Certificate, select the previously created SAML certificate, select Download, and select OK.
Entra ID: Under Enterprise applications, select the previously created application and select Set up single sign-on. Under SAML Certificates, select Edit for Verification certificates (optional), select Require verification certificates, select Upload certificate, select the previously downloaded SAML certificate, select OK, and select Save.
 |
