Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
istvanmarlok
New Contributor III

Created on ‎02-15-2024 12:28 AM

Captive Portal provided by Cisco ISE for FortiAP

Hi,

 

I'm trying to do a FortiAP implementation where there is a hotspot ssid with Captive Portal authentication. 

The requested design is that Cisco ISE should provide the Hotspot portal for clients.

Did someone implement this design? Could it work?

I find some documentation where there is a config example for that but it didn't work for me.

My config is based on that, but it didn't work for me:

config wireless-controller vap
  edit wifi-cap
    set ssid "fortinet-guest"
    set security captive-portal
    set external-web "https://<ISE_Portal>:8443/portal/g?p=jN9z47goOJg75HpaXxV8WZPQgd"
    set radius-mac-auth enable
    set radius-mac-auth-server "ISE"
    set radius-mac-auth-usergroups "AuthorizedGuest"
    set local-bridging enable
    set portal-type external-macauth
    set schedule "always"
  next

 Or the config from FortiGate side is only that, and we should look at ISE side?

 

Thank you!

Labels:
3600
0 Kudos
10 REPLIES 10
istvanmarlok
New Contributor III

Created on ‎02-15-2024 05:49 AM

Hello,

 

Yes, thats true radius is radius, but I don't really know how to do the redirection for client.

Some vendors accepts the Cisco specific "cisco-av-pair = url-redirect" attribute but FortiGate doesn't accept that. Documents said that use the "set external web "url" " command below the FortiGates SSID configuration, but ISE uses per session other URL, so it doesn't sounds a great solution. 

So thatswhy I don't see the solution for that yet..

3224
0 Kudos
hbac
Staff
Staff

Created on ‎02-15-2024 06:17 AM

Hi @istvanmarlok

 

Can you provide more details about what is not working? Users are not able to connect? authenticate? can't see ISE the portal? 

 

Regards, 

3221
istvanmarlok
New Contributor III

Created on ‎02-15-2024 06:20 AM

Hello,

 

User can connect, but after connection it doesn't get the portal. 

 

Regards

Istvan

3219
0 Kudos
ebilcari
Staff
Staff

Created on ‎02-15-2024 07:01 AM

You can follow the guide here that shows the  configuration in FGT when FAC is used as portal/RADIUS server. Pay attention to Exempt destinations and NAT. If the configurations are done properly the end host should be able to open the external portal provided by ISE and try to login.

 

There is another configuration that need to be done in ISE to intercept and respond properly (step 5&7 taken from FAC flow) in order for the authentication to happen.

steps.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
3211
istvanmarlok
New Contributor III

Created on ‎02-16-2024 07:06 AM

Ok, thank you I'm going to try it.

3169
0 Kudos
SVB
New Contributor
In response to istvanmarlok

Created on ‎02-27-2024 12:50 AM

Hello, any luck with this? We are trying the same and Fortinet support is not really helping...

3058
0 Kudos
istvanmarlok
New Contributor III
In response to SVB

Created on ‎05-06-2024 10:13 AM

Hi,

 

Unfortunatelly I can't solve it with ISE. As a workaround I did a captive portal on Fortigate.

2227
0 Kudos
hkjack
New Contributor

Created on ‎02-27-2024 12:03 PM

Same issue for me, after login ISE Captive Portal, no internet access. Please share if anyone have solution.

3033
0 Kudos
ebilcari
Staff
Staff
In response to hkjack

Created on ‎02-28-2024 03:33 AM

From the workflow I've shared above it looks like the process is stuck at step 6. You have to check in ISE, if it allows to do the configurations of step 7 (redirect the end host browser to FGT portal) with the information that FGT have sent in step 5.

After portal login in ISE, another login should be triggered in the FGT (after porta redirection) that is converted to a RADIUS authentication step 8. The RADIUS authentication response will allow network access (VLAN change) for the end host.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
3007
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.