Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
istvanmarlok
New Contributor III

Captive Portal provided by Cisco ISE for FortiAP

Hi,

 

I'm trying to do a FortiAP implementation where there is a hotspot ssid with Captive Portal authentication. 

The requested design is that Cisco ISE should provide the Hotspot portal for clients.

Did someone implement this design? Could it work?

I find some documentation where there is a config example for that but it didn't work for me.

My config is based on that, but it didn't work for me:

config wireless-controller vap
  edit wifi-cap
    set ssid "fortinet-guest"
    set security captive-portal
    set external-web "https://<ISE_Portal>:8443/portal/g?p=jN9z47goOJg75HpaXxV8WZPQgd"
    set radius-mac-auth enable
    set radius-mac-auth-server "ISE"
    set radius-mac-auth-usergroups "AuthorizedGuest"
    set local-bridging enable
    set portal-type external-macauth
    set schedule "always"
  next

 Or the config from FortiGate side is only that, and we should look at ISE side?

 

Thank you!

10 REPLIES 10
istvanmarlok
New Contributor III

Hello,

 

Yes, thats true radius is radius, but I don't really know how to do the redirection for client.

Some vendors accepts the Cisco specific "cisco-av-pair = url-redirect" attribute but FortiGate doesn't accept that. Documents said that use the "set external web "url" " command below the FortiGates SSID configuration, but ISE uses per session other URL, so it doesn't sounds a great solution. 

So thatswhy I don't see the solution for that yet..

hbac
Staff
Staff

Hi @istvanmarlok

 

Can you provide more details about what is not working? Users are not able to connect? authenticate? can't see ISE the portal? 

 

Regards, 

istvanmarlok
New Contributor III

Hello,

 

User can connect, but after connection it doesn't get the portal. 

 

Regards

Istvan

ebilcari
Staff
Staff

You can follow the guide here that shows the  configuration in FGT when FAC is used as portal/RADIUS server. Pay attention to Exempt destinations and NAT. If the configurations are done properly the end host should be able to open the external portal provided by ISE and try to login.

 

There is another configuration that need to be done in ISE to intercept and respond properly (step 5&7 taken from FAC flow) in order for the authentication to happen.

steps.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
istvanmarlok
New Contributor III

Ok, thank you I'm going to try it.

SVB

Hello, any luck with this? We are trying the same and Fortinet support is not really helping...

istvanmarlok
New Contributor III

Hi,

 

Unfortunatelly I can't solve it with ISE. As a workaround I did a captive portal on Fortigate.

hkjack
New Contributor

Same issue for me, after login ISE Captive Portal, no internet access. Please share if anyone have solution.

ebilcari

From the workflow I've shared above it looks like the process is stuck at step 6. You have to check in ISE, if it allows to do the configurations of step 7 (redirect the end host browser to FGT portal) with the information that FGT have sent in step 5.

After portal login in ISE, another login should be triggered in the FGT (after porta redirection) that is converted to a RADIUS authentication step 8. The RADIUS authentication response will allow network access (VLAN change) for the end host.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors