Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JakeBlues
New Contributor

Captive portal for wifi guest access

Hi,

 

I have a FortiGate 80F with FortiAP P433AP

I've already successfully set up a SSID local bridge for the colleagues in the office.

 

Right now I'd like to create a guest SSID with captive portal authentication.

I've created the SSID, type tunnel, on a network that's different from lan (192.168.2.0/24) but from now on I'm lost.

 

I've some questions:

 

1) Where are the menu options to set captive portal pages?

2) Assuming that my fortigate il 192.168.1.254, what is the URL to access captive portal?

3) I'd like to have a captive portal where the secretary creates users upon request. How do I do that?

4) Are there some docs showing me how to proceed?

 

Thanks

1 Solution
Debbie_FTNT

Dear Jake,

you can set up guest management on FortiGate, and create an admin that is restricted to generating guest users (for the receptionist for example).

These guest accounts can be created with an expiry, and added to a user group - if that user group is associated with the captive portal, then the guest users should be able to log into the portal with the guest credentials generated by the guest admin.

You can find some additional details here for example:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/822490/managing-guest-access

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

3 REPLIES 3
Markus_M
Staff
Staff

Hi Jake,

 

that might be a bit limited to have a captive portal on the FortiGate directly.

The "replacement messages" contain the pages which you can replace/adapt.

The URL to the captive portal, if hosted o the FortiGate is not interesting. The Clients browsers, and even OS do background captive portal detection with unencrypted HTTP pages, for example http://detectportal.firefox.com. This causes in a correct flow:

1) DNS query for the external IP

2) HTTP request to the external IP

3) FortiGate will block this request and send an HTTP 303 or 302 to the client with the content of the captive portal URL (its own interface IP with port 1000 (HTTP) or port 1003 (HTTPS)) - alternatively you can configure an FQDN for this (config firewall auth-portal).

4) DNS query for the FortiGate FQDN (if defined)

5) HTTP request to the IP - captive portal open

6) authenticate and/or accept disclaimer

7) Pass through with your user group or accepted disclaimer. The users will be visible with groups in the users' dashboard on GUI (or CLI "diag firewall auth list")

 

If you use an auth-portal address it is also crucial that your client is able to resolve the FQDN that you provide there, otherwise 4) will fail.

 

Important is that you allow DNS for the end user to fulfill 1).

Either exempt the service DNS, or create a guest Wi-Fi > Internet policy with service DNS and a CLI only option "set captive-portal-exempt enable").

 

Best regards,

 

Markus

JakeBlues

Hi Markus,

thanks for your answer.

 

What I need is what Cisco calls lobby portal, i.e. a portal where receptionist can create access credentials for guests with say a duration of 1 day.

 

Is it something possible with fortigate captive portal or do I need a different solution? Which one do you suggest?

 

Thanks

Debbie_FTNT

Dear Jake,

you can set up guest management on FortiGate, and create an admin that is restricted to generating guest users (for the receptionist for example).

These guest accounts can be created with an expiry, and added to a user group - if that user group is associated with the captive portal, then the guest users should be able to log into the portal with the guest credentials generated by the guest admin.

You can find some additional details here for example:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/822490/managing-guest-access

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
Top Kudoed Authors