Hello,
Some keywords:
Fortigate 60E
separate VLANs
Ubiquity Unify Cloud key and AC-pro access points
Guest wifi hotspot with captive portal and voucher system (ubiquity unify)
Problem: can't access the Ubiquity Unify captive portal from the guest wifi network
Setup:
Fortigate 60E connects to internet via WAN port, switches connected with trunks to the internal ports on the Fortigate.
3 VLANs with DHCP pools for business (1), guest (30) and private (20) set up on Fortigate for wired and WIFI networks.
Ubiquity Unify (for WIFI) with cloud key and access points are connected to VLAN1.
Configuration works fine for wired ports as well as wireless. Depending on selected network (wired or WIFI) correct IPs are assigned, network access restrictions, internet policies applied and bandwidth restrictions are correct. So far so good.
The moment I make in the Ubiquity control panel the guest network a hotspot with a captive portal for log in with vouchers for internet access I get a hick up: when connecting with a device to the guest WIFI (VLAN 30), a correct IP address gets assigned and the browser opens to get to the captive portal for log in. Problem is the page doesn't open and the browser gives a connection time out after a while.
My guess is that the captive portal is managed and issued by the unify cloud key, which has a VLAN1 IP address. The guest device that tries to connect to the captive portal so it can log in and get access to internet has a VLAN 30 IP address. There is a good reason that guest are on a separate VLAN and I want to keep that segregation for security purposes. I have experimented with creating a policy rule that allows traffic from VLAN 30 to the Cloud key specific IP but no luck so far.
How can I get this to work (guest on VLAN 30 to use the WIFI to access internet with a voucher and authentication through the captive portal) without compromising the separation between the VLANs? I think that the solution is in a policy between the 2 VLAN's to allow for this specific traffic but am not sure as the first few attempts to set up such a rule failed on me.
Ubiquity support suggests creating DMZ for the cloud key, but I am not sure if a DMZ is what I am happy with. Maybe one of you has had this combination before and found a reliable and safe solution?
Thanks,
André Pasman
Best Regards,
André
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello André and welcome,
we have it built just like you. You have three choices:
1) using policy to access from VLAN30 to VLAN1 (I do not see why it should not work) 2) place UniFi CTRL into VLAN30 3) create the DMZ and place CTRL into
We have option 1 where we only allow access to the Captive Portal Portal and it works
Jirka
Hello Jirka,
Option 1 is my preferred solution.
What I have done so far:
Created an address in Fortigate with the name cloud key, type subnet, range 192.168.10.30, any interface.
(The cloud key is on Vlan1 with IP address 192.168.10.30)
Then I created a policy with incoming interface Guest (that is the guest VLAN 30), outgoing interface business (internal). (That is VLAN 1)
Source: all
Destination: Cloud Key
Schedule: allways
Service: all
Action: accept
Nat switched on and use outgoing interface address
Security profiles on default settings.
This did not work. What did I forget or do wrong? Maybe you can can suggest me the appropriate address/policy setting? Also, I have enabled all services for now. But I would like to limit that to only the bare minimum required to let the captive portal work. Thanks for your help.
Best Regards,
André
Disable NAT. I cannot see why you would need it here.
exactly
I've done something very similar but with a Linux VM instead of a cloud key. The linux VM was on it's own DMZ VLAN.
I had to make sure the DMZ subnet was added to the "Pre-Authorization Access" list in the Unifi manager. It's under Settings > Guest Control > Access Control. If you don't have that then the Unifi Access Points won't allow traffic to pass through to the Cloud Key to access the captive portal.
I'll add my firewall rule for Guest VLAN to Unifi Controller VLAN for captive portal access:
config firewall policy edit 0 set srcintf "VlanGuest100" set dstintf "VLANUnifi111" set srcaddr "all" set dstaddr "unifi_Controller" set action accept set schedule "always" set service "unifi_8880" "Unifi_8843" next end
Thanks!!!
That was it. I disabled the NAT and tried a few minutes later the Guest wifi on my phone: it comes up with the portal and after entering the voucher code i was online.
2 questions:
- How do I prevent the certificate warnings? I think some of our guests will not know how to go around and ask for help ;)
- Are 'all' services required or can I disable a few and only leave the HTTP and HTTPS? Or do I need more?
I will check tomorrow the rest of the set up in respect to VLAN segregation, bandwith and firewall settings
Great help. Thanks again.
Best Regards,
André
@MattM: It was the NAT. I disable it and it works now.
PS: your remark on the pre-aouthorisation is correct. I added the IP address of the Cloud key on the VLAN1 in that box.
Thanks for helping.
Best Regards,
André
André wrote:Are 'all' services required or can I disable a few and only leave the HTTP and HTTPS? Or do I need more?
8880 is unsecured, HTTP
8843 is secured, HTTPS
The following is how the ports used by default for each authentication method (U = 8880, S = 8843)
U - No Authentication
U - Simple Password
S - Hotspot (starts as insecure 8880 and if you move to the payment.html page, it gets redirected to HTTPS)
External portal server by default is port 80 on the external hotspot and it would be up to that server whether to redirect to HTTPS or stay on HTTP.
I did a few checks to see if traffic could sneak through from VLAN30 to VLAN1 besides the traffic from VLAN30 to the cloud key on VLAN1. It looks like that the VLAN segregation is still intact and I don't have to worry.
Regarding my previous 2 remaining points:
1- I switched of the requirement for a secure portal and the https redirect in the Ubiquity controller. That solved the certificate issues. (Guest was getting certificate errors and could not progress with the log in).
2- In the Fortigate I took away the 'all services' from the VLAN30-to-Cloud-key policy and created a new service that only allows TCP port 8080, 8880 and 8443.
Unless somebody has some additional suggestions, I think this issue is resolved and I hope that others who have a Fortigate and want to use Ubiquity Unify guest portal with separate VLANs can use these postings.
Thanks.
Best Regards,
André
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1632 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.