Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SecurityPlus
Contributor II

Captive Portal / Password Requirement

We have a hotel that wants to use a captive portal on an interface so that the user needs to agree to terms and conditions before using the internet. We see how to set this up.

 

The hotel would also like to limit this access to users that have been given a password. The hotel does not want to have to create usernames/passwords for each person, but would instead like a generic password that all users would enter to use the network. They would like to change this password twice a year.

 

Is this possible? If so how would this be accomplished?

10 REPLIES 10
Toshi_Esumi
SuperUser
SuperUser

Check below. I used captive portal only for WiFi so far but seems to work on an interface as well.

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/CaptivePortals.htm

 

SecurityPlus

Thank you. We will continue to work through the setup and testing.

 

This customer does not use FortiWiFi WAP's. They use older Netgear wireless access points in the hotel rooms. All are set to the same SSID's and all connected via a switch to the same FortiGate interface. Do you think that this will work for both the wired and wireless connections? I'm wondering if the wireless connections will appear to be wired connections by the time they get to the FortiGate since all the wireless issues are taken care of by the Netgear WAP's?

Toshi_Esumi

With the current WiFi connection, the users need to type WAP PSK to get on WiFi then once they opened a browser they will see a FG's captive portal. Theoretically, if you could separate interfaces at FG, physical ports or VLANs, you would have an option not to set captive portal on the interface WiFi routers are connected to, so that WiFi users need to enter only WAP PSK, while wired users user a captive portal.

SecurityPlus

An additional question. When logging in from a Mac computer that does not have the Fortinet certificate installed on it, we sometimes get a certificate warning saying that the certificate is not trusted. Maybe other computer would react the same way but most of the computers we have tested with have the certificate already installed. As this if for hotel guests, we don't have the luxury of installing the self sighed client on all the computers.

 

We are only doing basic anti-virus inspection and I don't think that SSL inspection is turned on. If we go to an http website first there is no issue. If we though go to an https website first we often encounter the security warning. Since more and more websites are https this is a problem.

 

Is there any way to avoid this warning? Would installing a commercial certificate on the FortiGate prevent this issue? Thanks.

 

SecurityPlus

Toshi,

 

You mentioned that "With the current WiFi connection, the users need to type WAP PSK". Actually the wireless is currently open, no password is needed to access it. The hotel would like to require a password and to show the user a terms and conditions page via captive portal. We modified the captive portal username/password page to include the terms and conditions.

Baptiste

Hi

If you want to redirect to FGT portal without certificate warning, you have to buy a certificate.

If you want to use Wifi and wired connection, look at this post :

https://forum.fortinet.com/FindPost/152165

in summary, you can use captive portal mode (set on interface) only is you use one interface or if you use an external captive portal.

If you want FGT to act as captive portal on several interface, you have to configure each policy that need redirection.

 

config firewall policy edit <my_policy_ID> set auth-redirect-addr " my.fortigate.com" next end

 

2 FGT 100D  + FTK200

3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
immanuel_dahunsi

Hi 

 

Top of the morning to you.

 

We have a similar deployment at the moment.

 

Please how did you implement this?

 

Please can you also share your sample code?

 

Kind regards,

 

Many Thanks,

 

 

mikeraut

I have the same problem as 'SecurityPlus"

Client get frustrated as most users use a https:// as a landing/opening page

fcb

I know this thread is kind of old but we are dealing with same issue... We have various folks trying to hit an interface (a VLAN) with captive portal enabled but since not everyone has a valid SSL installed on their browser there are cert warnings.

 

I know when I go to a hotel and hit the WiFi I get redirected to a page (no cert warning) no matter what I type into my browser. How do they get away with this since I obviously do not have their cert installed in my browser?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors