[FortiAP] Setup a captive portal Wifi for FortiAP (FortiOS 5.0-5.2)

[FortiAP] Setup a captive portal Wifi for FortiAP (FortiOS 5.0-5.2)


After a rough time with TP-Link enterprise access point and controller. I decided to change all of the access points in my home to Fortinet system. Choosing a Fortinet system are able to control access point in Fortigate firewall also the hardware process is much stronger to handle devices.

Setup a captive portal Wifi for FortiAP

Using a captive portal provided a website auth and auto session kill when the user is not using. Different than WPA2 personal or enterprise, those password and account information to login to the WiFi system will not store in local device storage.

Picture & Information ref: http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/

The website page is a script that gathers the user logon information and send back to FortiGate with format messsage
https://<FGT_IP>:1003/fgtauth with data magic=session_id&username=<username>&password=<password>

Example: https://cookbook.fortinet.com/wp-content/uploads/FortiGate/wifi-ext-captive-portal/portal-php.txt

Add a local user and local group

User&Device> User Definition > Create New > Local > Username/Password
User&Device> User Group > Create New > Firewall > Add User

Enforce HTTPS authentication.

Enable use of HTTPS for authentication so that user credentials are communicated securely. (If you are not using external portal you can skip this section)

  1. config user setting
      set auth-secure-http enable

Create the WiFi network

WiFi Controller > WiFi Network > SSID

When you are using the captive portal, it is only available to use tunnel traffic mode.
Enable DHCP for clients.

Configure external captive portal security.
Do not include “http://” or “https://” in the captive portal URL.

<policy_id> from ID column of the policy list (Policy & Objects > Policy > IPv4).

In the CLI, enable bypass of the captive portal so that the user can make the initial contact with the external server.

config firewall policy
  edit <policy_id>
    set captive-portal-exempt enable

Create the Internet access security policy

Go to Policy & Objects > Policy > IPv4.

Set up an incoming WiFi traffic to assess outgoing internet to access internet.


Connect and authorize the FortiAP

Read this article: http://blog.elogy.org/?p=1168&preview=true



(The web server certificate must be verifiable, or the browser will show warnings.)




你的電子郵件位址並不會被公開。 必要欄位標記為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步瞭解 Akismet 如何處理網站訪客的留言資料