Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zeihold_von_SSL
New Contributor

Different features for Captive Portal (wifi/lan)?

Dear Community,

 

a few days ago, I wanted to clean up some old config settings on our fortigate cluster.

 

Right now, we have a zone for guest access. In this zone, we have two members.

 

One vap (guest ssid; tunnel to wireless controller) interface with a captive portal + disclaimer. So you have to accept the terms of use and then enter valid user credentials to get access.

 

And then we have a vlan interface where all clients who do not successfully authenticate via 802.1x are thrown into.

 

What I tried to do is, that I delete the existing vap and create a new one (guest ssid;local bridge with FortiAP's interface) with security mode "open" and the optional vlan field set to vlan id of the guest lan.

 

Then I wanted to change the security mode of the guest lan (vlan) interface from "none" to "captive portal".

 

But unfortunately, the lan captive portal does not "know" of the "advanced" options of the wifi captive portal.

 

So there is only the (default) option "authentication" but no "disclaimer+authentication" or "disclaimer only" or "email collection".

 

So I wondered, is this intentional or am I just blind to find these options? Because I would really like to use the same captive portal options on lan and wifi.

Regards Rene ---

[size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size]

Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B

Regards Rene --- [size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size] Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B
6 REPLIES 6
xsilver_FTNT
Staff
Staff

quite important is what FortiOS you are running, check release notes or What's new on docs.fortinet.com because in authentication area there are huge changes between 4.3 vs 5.0 vs 5.2  and especially in guest/unauthenticated users handling.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Zeihold_von_SSL
New Contributor

That is why I set the flag for 5.2. ;)

 

I use FortiOS 5.2.2.

Regards Rene ---

[size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size]

Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B

Regards Rene --- [size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size] Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B
vmartin_FTNT
Staff
Staff

The Captive Portal types are a new feature that was added in FortiOS 5.2. These types are currently only available for wireless interfaces.

 

You can change the type of portal that appears on the lan interface by selecting Customize Portal Messages. This would allow you to set up the disclaimer to appear for users connecting to the lan.

Technical Writer, FortiOS

Let me know if there's anything you want to see added to the FortiGate Cookbook.

Zeihold_von_SSL
New Contributor

That is simply not true! The disclaimer types "authentication", "disclaimer only" and "email collection" are new, that is right.

But the disclaimer type "disclaimer+authentication" was the (only) default type since the captive portal feature was introduced.

 

With FortiOS 5.2, the disclaimer type "authentication" is the default (both lan and wifi).

 

My intention is, that guests see a captive portal page with a disclaimer/terms of use. If they accept the terms of use, they are allowed to enter their guest credentials and therefore allowed to access the internet (if the credentials are correct!).

 

But I'am not sure if this is possible with a custom portal message. At least I don't know how to achieve that.

 

Bye the way, are there any intentions to make these new disclaimer types available for lan as well?

Regards Rene ---

[size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size]

Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B

Regards Rene --- [size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size] Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B
vmartin_FTNT
Staff
Staff

If you read the What's New for 5.2, it talks about all the changes made to Captive Portal. Another one of the changes is that the captive portal-specific replacement messages have been removed and now authentication replacement messages are used for portals. This, I believe, is why the options you had for the lan in 5.0 no longer appear in 5.2.

Technical Writer, FortiOS

Let me know if there's anything you want to see added to the FortiGate Cookbook.

Zeihold_von_SSL
New Contributor

That might be an explanation why 5.2 handles things other than 5.0, but it does not explain why things are handled different on lan and wifi (and if there are any intentions to handle them in the same way in future releases). And my problem still exists. I'am not able (at least I can't figure out how) to present the my guest users a disclaimer (that has to be accepted) before allowing them to type in their credentials.

Regards Rene ---

[size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size]

Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B

Regards Rene --- [size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size] Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B
Labels
Top Kudoed Authors