Hello,
I would like to set up a printer for wireless printing. This printer is wirelessly connected, but does not have the ability to click "I agree" in the captive portal. In my FortiOS settings, I am unable to add this printer to an exemption list because my portal is set to disclaimer only. For various reasons, I do not wish to change the setting to anything other than disclaimer only.
I'm curious, what options do I have without changing the portal to something other than disclaimer only. Can I exempt my printer from the captive portal based upon MAC address?
Could I create a hidden SSID that for just the printer, and somehow allow traffic to and from the captive portal SSID? Think of this as bridge WIFI SSIDs? (I know there's a better solution.)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
mjwhite3 wrote:YesCould I create a hidden SSID that for just the printer, and somehow allow traffic to and from the captive portal SSID? Think of this as bridge WIFI SSIDs? (I know there's a better solution.)
Thanks for responding gschmitt, but since I'm pretty new at this, can you give me some more information on how I would to this? Specifically, what type of firewall policies I'd need to have.
Thanks!
Okay, I just noticed you can exempt addresses from the authentication process.
Go to WiFi Controller > WiFi Network > SSID and select your Guest Network
Below WiFi Settings use the Exempt List Dropdown Menu and select Printer
Make sure you have Detect and Identify Devices set to on
well, exempting the printer was my first thought, too. But, since my captive portal is disclaimer only, I can not except based upon user groups. In fact, next to WIFI settings, there is no box to select exempt. The ability to exempt devices becomes available if I change my portal type, but I'm not sure my boss will allow that.
(I did go into the CLI and enable the ability to make things exempt.)
So, I'm left with having to search for other solutions. Like I said, I'm pretty new at creating firewall policies, but it seems to me that I'd need several policies, one allowing for Internet access and one for each wireless network to be able to see each other.
You could try creating address objects (I assume the printers have a static IP) and add these to the exempt list, otherwise at least I get a chance to repost what I wrote before:
To create a new SSID:
First of all we need a new subnet for the new SSID, let's say 192.168.42.0/24
Go to WiFi Controller > WiFi Network > SSID and Create New
Interface Name: WiFiIfPrinter
IP/Network Mask: 192.168.42.254/24
DHCP Server Enable
At Address Range select Create New
Starting IP 192.168.42.1
End IP 192.168.42.253
SSID: WiFi_Printer
Security Mode: WPA2 Personal
Pre-Shared key: AllPrintsAreBelongToUs
Deselect Broadcast SSID
So we created a new SSID, now to broadcast it!
Go to WiFi Controller > WiFi Network > FortiAP Profiles
Select the FortiAP profile you are using
At SSID hit the + and Add WiFi_Printer
Now the new SSID is being broadcasted (not visible) but there is no connection yet. Let's create an address object first
Go to Policy&Objects > Objects > Addresses and Create new
Name: network_wifi_printers
Subnet: 192.168.42.0/24
Interface: WiFiIfPrinter
And we need policies
Go to Policy&Objects > Policy > IPv4 and Create New
Incom. Interface: WiFiIfPrinter
Source Address: network_wifi_printers
Out. Interface: YourNormalWiFiInterface
Dest. Address: YourNormalWiFiAddress
Service: All
Disable NAT
And the other way around, again Create New but simply change the interfaces and addresses
I followed everything perfectly until the firewall policies.
When I created the first policy, I did not see the network_wifi_printers object that I created. I did see an object called local_LAN, and I chose this, hoping it might work.
Also, When you say, the other way around, again, but simply change the interfaces and address, can you explain that a little more.
The first policy is to allow traffic onto the WIFI_printer SSID, am I correct?
I created a policy to give the WIFI_printer SSID internet access.This was successful.
I then created two policies: one in which the incoming interface is Normal_WIFI and the outgoing address is WIFI_Printer to allow users on the Normal_WIFI to communicate with the printer. This moves from the normal WIFI SSID to the wireless printer SSID.
Next, I created a second policy in which the incoming interface is WIFI_Printer and the outgoing address is Normal_WIFI to allow the printer to communicate with the users. This moves from the wireless printer SSID to the normal WIFI SSID.
I thought I might need to do this (create both policies) to allow information to flow in both directions; however, I could be wrong.
After creating these policies, I was not able to find the wireless printer using my iPad. (Note: the printer is working well, and has worked with the iPad).
I also attempted a work around: I connected to the normal WIFI with my iPad using a static IP and then authenticated. I then disconnected the iPad form the network. I then connected the printer to the normal WIFI using that same static IP, and was able to find it with the iPad (after reconnecting and getting a new IP for the iPad). My Android device was unable to find the printer.
I was able to make this work. I created a hidden WIFI SSID called WIFI_Printer and made several policies. The public SSID has to be allowed to see WIFI_Printer, WIFI_Printer has to be allowed to see the public SSID. Both the public SSID and WIFI_Printer needed Internet access. Then, I had to set up multicasting. Both the public SSID and the WIFI_Printer SSID needed multicast policies.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.