Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lincoweb
New Contributor II

Need help setting up FortiNAC as External Captive Portal for Bridged Guest SSID created in FortiGate

Hi Guys,

I having some issues understanding how to configure FortiNAC to authenticate and grant access to guest/contractor users connecting via a guest ssid created on fortiGate.

This is what i have setup already:

  • FortiNAC has FortiGate in the Network-->Inventory container (SNMP v3c and SSH v2 connections configured)
  • FortiNAC running both local and proxying RADIUS to enterprise Server
  • FortiNAC connected to security Fabric
  • Bridge mode SSID created in FortiGate using external authentication captive portal pointing to FortiNAC URL
  • FortiNAC configured for Guest Self Registration (guests can also be created locally by admin/sponsors)

I simply want guest users connecting to the SSID to be authenticated by FortiNAC and be granted access to the wireless network so they can browse the internet. I cant seem to find any configuration examples for this. I see documents speaking to creating Logical Networks etc. The term Model Configuration also comes up, but I dont see this tab for the FortiGate in the Network -> Inventory view. I'm been struggling with this for months. Please help.

 

13 REPLIES 13
lincoweb
New Contributor II

Had to turn on 'Open SSID' feature in 'Feature Visibility' section.

ebilcari

In order to use an open SSID you have to enable it as a feature in FGT: System> Feature Visibility> [ Wireless Open Security ].

You can also manually set the security for a specific SSID from the CLI (# set security open), but the GUI is the easiest step.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
lincoweb
New Contributor II

So I was able to set the SSID as open, I set the Optional VLAN ID to the isolation VLAN created on the fortilink, which is on the same network as the Fortinac eth1 interface. So when the user associates they get an IP from FortiNAC and redirects to the portal. Client is able to self register and sponsor gets request and approves successfully. Credentials are sent to user on the portal page and they authenticate successfully, getting the success message.

However, after the progress bar reaches 100%, a message pops up saying Failed to detect a Change in Your network Settings, Retrying...'. Can someone walk me through an example Network Access Policy for this scenario I'm trying to achieve.

PS. I did find this document. https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Captive-Portal-Registration-Failed-to-detec...

Made the changes but it doesn't seem to have any effect

ebilcari
Staff
Staff

This error is related to VLAN change and CoA. The SSID should have been configured in advance with the registration and production VLANs. After successful user login, FNAC should respond with the production VLAN and a CoA request to bounce the end host to the new VLAN, done via RADIUS. 

For this on FGT you have to add this command under RADIUS server configuration:

config user radius
edit "FNAC"
set radius-coa enable
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Labels
Top Kudoed Authors