Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lincoweb
New Contributor II

Need help setting up FortiNAC as External Captive Portal for Bridged Guest SSID created in FortiGate

Hi Guys,

I having some issues understanding how to configure FortiNAC to authenticate and grant access to guest/contractor users connecting via a guest ssid created on fortiGate.

This is what i have setup already:

  • FortiNAC has FortiGate in the Network-->Inventory container (SNMP v3c and SSH v2 connections configured)
  • FortiNAC running both local and proxying RADIUS to enterprise Server
  • FortiNAC connected to security Fabric
  • Bridge mode SSID created in FortiGate using external authentication captive portal pointing to FortiNAC URL
  • FortiNAC configured for Guest Self Registration (guests can also be created locally by admin/sponsors)

I simply want guest users connecting to the SSID to be authenticated by FortiNAC and be granted access to the wireless network so they can browse the internet. I cant seem to find any configuration examples for this. I see documents speaking to creating Logical Networks etc. The term Model Configuration also comes up, but I dont see this tab for the FortiGate in the Network -> Inventory view. I'm been struggling with this for months. Please help.

 

13 REPLIES 13
ebilcari
Staff
Staff

the model configuration from FortiNAC can be found in Virtualized Devices, like:

VD.PNG

From FGT you have to enable MAC address filtering on that SSID and the RADIUS server pointing to FortiNAC and enable Dynamic VLAN:

mac filter.PNG

For the captive portal to work you need to configure the DHCP server relay to point to FNAC eth1 interface. Portal redirection is done through DNS only. There is no need to enable captive portal on FGT or put an url, it will not work like that

relay.PNG

The SSID should include at least two VLANs, registration and access:

ssid.PNG

You can also take a look at this step by step guide, it's for wired but share the same logic steps: https://community.fortinet.com/t5/FortiNAC/Technical-Tip-FortiNAC-Guest-Captive-Portal-configuration...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
lincoweb
New Contributor II

A couple of things:

  • I don's see a 'Virtualized Devices' Tabnac1.PNG
  • Are you sure Dynamic VLAN assignment is available for an SSID in Bridge mode?
  • If I don't configure the SSID to use captive Portal in the FGT, which Authentication scheme should be selected when configuring the SSID?

nac2.PNG

  • How do I Assign a second VLAN to the SSID?
  • I am aware of the link you sent from before. However, it speaks to some settings I am not able to access

nac3.PNG

I think the 'Logical Network' is associated with the 'Model Configuration' which I mentioned I am not able to see from before. I am not seeing the 'Virtualized Devices' tab either

ebilcari

1. I don's see a 'Virtualized Devices' Tab - You have to check FGT modeling, something is wrong there, r-click Set Device Mapping

 

2. Are you sure Dynamic VLAN assignment is available for an SSID in Bridge mode? - Yes they are, basically the AP will tag the user traffic directly and put it on the switch port, you don't have to configure it under SSID.


3. If I don't configure the SSID to use captive Portal in the FGT, which Authentication scheme should be selected when configuring the SSID? - Just leave it open or PSK if you want but put FNAC as DHCP and DNS server, it will put the users in registration VLAN that you can limit access to FNAC only. Registration VLAN should include the network configurations and dhcp relay.

 

4. I think the 'Logical Network' is associated with the 'Model Configuration' which I mentioned I am not able to see from before. I am not seeing the 'Virtualized Devices' tab either - Yes, but it looks like your FGT is not properly modeled, you should also see the SSID tab

 

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
lincoweb
New Contributor II

How do I 'Check FGT Modeling'? This is what I see when I r-click and 'Set Device Mapping':

nac3.PNG

Dynamic VLAN assignment is only available when 'RADIUS Server' is enabled under 'Client MAC Address Filtering' for tunnel mode SSIDs. The option is not there for Bridge Mode SSIDs. Are you saying I dont need to configure it at all now?

I have a VLAN created on the FGT for registration. It uses DHCP relay to point the FNAC. Should I then configure the 'Optional VLAN ID' field in the SSID to this VLAN so that when clients associate to the SSID they a placed in this VLAN?

Is there not a cookbook example specifically showing how to do this with a FGT, starting from modeling right through to configuring the SSID and captive portal? 

lincoweb
New Contributor II

I just blew away the device from the inventory and re-added it. I'm seeing the tabs you mentioned now:

nac4.PNG

ebilcari

It should be available for both Bridge or tunnel mode:

bridge.PNG

In bridge mode you still need to configure every other step apart from the VLANs inside the SSID.

From FortiNAC in model configuration you have to add this:

modelin.PNG

than continue following the logic of the wired guest authentication article.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
lincoweb
New Contributor II

Thanks for you help so far.

Question: If I configure the SSID using WPA personal, what will happen when the user connects to the SSID? Will they not be prompted for a passphrase? Or will this be overridden by the FortiNAC captive portal once I have the isolation VLAN configured in the optional VLAN ID  field in the SSID configuration?
Please bear with me. A lot of things don't make sense to me when in comes to this configuration.

ebilcari

No worries, WPA personal or open SSID is the same from FNAC perspective and the authentication, this is just a choice. If you use WPA the users should enter the password first access the SSID than do the authentication via the portal, it's more like for encryption part. I don't want to leave the Wi-Fi traffic unencrypted.

VLAN assignment will come from RADIUS server (FNAC) there is no need to use "Optional VLAN ID".

You can read more about VLAN assignment by RADIUS here:
https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/451754/dynamic-vlan-name-assignment-from...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
lincoweb
New Contributor II

I am not seeing an option for open security. I just testing it with the WPA and I see where it asks for a a passphrase. This workflow won't be acceptable since it requires providing guests with a passphrase outside of providing them with a sponsor email address.security-options.jpg

Top Kudoed Authors