Wireless Printer + Captive Portal + Disclaimer Only

mjwhite3 · ‎10-06-2015

Hello,

I would like to set up a printer for wireless printing. This printer is wirelessly connected, but does not have the ability to click "I agree" in the captive portal. In my FortiOS settings, I am unable to add this printer to an exemption list because my portal is set to disclaimer only. For various reasons, I do not wish to change the setting to anything other than disclaimer only.

I'm curious, what options do I have without changing the portal to something other than disclaimer only. Can I exempt my printer from the captive portal based upon MAC address?

Could I create a hidden SSID that for just the printer, and somehow allow traffic to and from the captive portal SSID? Think of this as bridge WIFI SSIDs? (I know there's a better solution.)

gschmitt · ‎10-06-2015

mjwhite3 wrote:
Could I create a hidden SSID that for just the printer, and somehow allow traffic to and from the captive portal SSID? Think of this as bridge WIFI SSIDs? (I know there's a better solution.)

Yes

mjwhite3 · ‎10-07-2015

Thanks for responding gschmitt, but since I'm pretty new at this, can you give me some more information on how I would to this? Specifically, what type of firewall policies I'd need to have.

Thanks!

gschmitt · ‎10-07-2015

Okay, I just noticed you can exempt addresses from the authentication process.

Go to WiFi Controller > WiFi Network > SSID and select your Guest Network

Below WiFi Settings use the Exempt List Dropdown Menu and select Printer

Make sure you have Detect and Identify Devices set to on

mjwhite3 · ‎10-07-2015

well, exempting the printer was my first thought, too. But, since my captive portal is disclaimer only, I can not except based upon user groups. In fact, next to WIFI settings, there is no box to select exempt. The ability to exempt devices becomes available if I change my portal type, but I'm not sure my boss will allow that.

(I did go into the CLI and enable the ability to make things exempt.)

So, I'm left with having to search for other solutions. Like I said, I'm pretty new at creating firewall policies, but it seems to me that I'd need several policies, one allowing for Internet access and one for each wireless network to be able to see each other.

gschmitt · ‎10-07-2015

You could try creating address objects (I assume the printers have a static IP) and add these to the exempt list, otherwise at least I get a chance to repost what I wrote before:

To create a new SSID:

First of all we need a new subnet for the new SSID, let's say 192.168.42.0/24

Go to WiFi Controller > WiFi Network > SSID and Create New

Interface Name: WiFiIfPrinter

IP/Network Mask: 192.168.42.254/24

DHCP Server Enable

At Address Range select Create New

Starting IP 192.168.42.1

End IP 192.168.42.253

SSID: WiFi_Printer

Security Mode: WPA2 Personal

Pre-Shared key: AllPrintsAreBelongToUs

Deselect Broadcast SSID

So we created a new SSID, now to broadcast it!

Go to WiFi Controller > WiFi Network > FortiAP Profiles

Select the FortiAP profile you are using

At SSID hit the + and Add WiFi_Printer

Now the new SSID is being broadcasted (not visible) but there is no connection yet. Let's create an address object first

Go to Policy&Objects > Objects > Addresses and Create new

Name: network_wifi_printers

Subnet: 192.168.42.0/24

Interface: WiFiIfPrinter

And we need policies

Go to Policy&Objects > Policy > IPv4 and Create New

Incom. Interface: WiFiIfPrinter

Source Address: network_wifi_printers

Out. Interface: YourNormalWiFiInterface

Dest. Address: YourNormalWiFiAddress

Service: All

Disable NAT

And the other way around, again Create New but simply change the interfaces and addresses

mjwhite3 · ‎10-07-2015

I followed everything perfectly until the firewall policies.

When I created the first policy, I did not see the network_wifi_printers object that I created. I did see an object called local_LAN, and I chose this, hoping it might work.

Also, When you say, the other way around, again, but simply change the interfaces and address, can you explain that a little more.

The first policy is to allow traffic onto the WIFI_printer SSID, am I correct?

mjwhite3 · ‎10-07-2015

I created a policy to give the WIFI_printer SSID internet access.This was successful.

I then created two policies: one in which the incoming interface is Normal_WIFI and the outgoing address is WIFI_Printer to allow users on the Normal_WIFI to communicate with the printer. This moves from the normal WIFI SSID to the wireless printer SSID.

Next, I created a second policy in which the incoming interface is WIFI_Printer and the outgoing address is Normal_WIFI to allow the printer to communicate with the users. This moves from the wireless printer SSID to the normal WIFI SSID.

I thought I might need to do this (create both policies) to allow information to flow in both directions; however, I could be wrong.

After creating these policies, I was not able to find the wireless printer using my iPad. (Note: the printer is working well, and has worked with the iPad).

I also attempted a work around: I connected to the normal WIFI with my iPad using a static IP and then authenticated. I then disconnected the iPad form the network. I then connected the printer to the normal WIFI using that same static IP, and was able to find it with the iPad (after reconnecting and getting a new IP for the iPad). My Android device was unable to find the printer.

mjwhite3 · ‎10-12-2015

I was able to make this work. I created a hidden WIFI SSID called WIFI_Printer and made several policies. The public SSID has to be allowed to see WIFI_Printer, WIFI_Printer has to be allowed to see the public SSID. Both the public SSID and WIFI_Printer needed Internet access. Then, I had to set up multicasting. Both the public SSID and the WIFI_Printer SSID needed multicast policies.