Need help setting up FortiNAC as External Captive Portal for Bridged Guest SSID created in FortiGate
I having some issues understanding how to configure FortiNAC to authenticate and grant access to guest/contractor users connecting via a guest ssid created on fortiGate.
This is what i have setup already:
FortiNAC has FortiGate in the Network-->Inventory container (SNMP v3c and SSH v2 connections configured)
FortiNAC running both local and proxying RADIUS to enterprise Server
FortiNAC connected to security Fabric
Bridge mode SSID created in FortiGate using external authentication captive portal pointing to FortiNAC URL
FortiNAC configured for Guest Self Registration (guests can also be created locally by admin/sponsors)
I simply want guest users connecting to the SSID to be authenticated by FortiNAC and be granted access to the wireless network so they can browse the internet. I cant seem to find any configuration examples for this. I see documents speaking to creating Logical Networks etc. The term Model Configuration also comes up, but I dont see this tab for the FortiGate in the Network -> Inventory view. I'm been struggling with this for months. Please help.
the model configuration from FortiNAC can be found in Virtualized Devices, like:
From FGT you have to enable MAC address filtering on that SSID and the RADIUS server pointing to FortiNAC and enable Dynamic VLAN:
For the captive portal to work you need to configure the DHCP server relay to point to FNAC eth1 interface. Portal redirection is done through DNS only. There is no need to enable captive portal on FGT or put an url, it will not work like that
The SSID should include at least two VLANs, registration and access:
1. I don's see a 'Virtualized Devices' Tab - You have to check FGT modeling, something is wrong there, r-click Set Device Mapping
2. Are you sure Dynamic VLAN assignment is available for an SSID in Bridge mode? - Yes they are, basically the AP will tag the user traffic directly and put it on the switch port, you don't have to configure it under SSID.
3. If I don't configure the SSID to use captive Portal in the FGT, which Authentication scheme should be selected when configuring the SSID? - Just leave it open or PSK if you want but put FNAC as DHCP and DNS server, it will put the users in registration VLAN that you can limit access to FNAC only. Registration VLAN should include the network configurations and dhcp relay.
4. I think the 'Logical Network' is associated with the 'Model Configuration' which I mentioned I am not able to see from before. I am not seeing the 'Virtualized Devices' tab either - Yes, but it looks like your FGT is not properly modeled, you should also see the SSID tab
- Emirjon If you have found a solution, please like and accept it to make it easily accessible for others.
How do I 'Check FGT Modeling'? This is what I see when I r-click and 'Set Device Mapping':
Dynamic VLAN assignment is only available when 'RADIUS Server' is enabled under 'Client MAC Address Filtering' for tunnel mode SSIDs. The option is not there for Bridge Mode SSIDs. Are you saying I dont need to configure it at all now?
I have a VLAN created on the FGT for registration. It uses DHCP relay to point the FNAC. Should I then configure the 'Optional VLAN ID' field in the SSID to this VLAN so that when clients associate to the SSID they a placed in this VLAN?
Is there not a cookbook example specifically showing how to do this with a FGT, starting from modeling right through to configuring the SSID and captive portal?
Question: If I configure the SSID using WPA personal, what will happen when the user connects to the SSID? Will they not be prompted for a passphrase? Or will this be overridden by the FortiNAC captive portal once I have the isolation VLAN configured in the optional VLAN ID field in the SSID configuration? Please bear with me. A lot of things don't make sense to me when in comes to this configuration.
No worries, WPA personal or open SSID is the same from FNAC perspective and the authentication, this is just a choice. If you use WPA the users should enter the password first access the SSID than do the authentication via the portal, it's more like for encryption part. I don't want to leave the Wi-Fi traffic unencrypted.
VLAN assignment will come from RADIUS server (FNAC) there is no need to use "Optional VLAN ID".
I am not seeing an option for open security. I just testing it with the WPA and I see where it asks for a a passphrase. This workflow won't be acceptable since it requires providing guests with a passphrase outside of providing them with a sponsor email address.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.