Creating a FortiNet External Captive Portal

Defaut template

Creating a FortiNet External Captive Portal



Print

Creating a FortiNet External Captive Portal

fg-40f.png

Prerequisites

  • Your FortiGate firewall must be running FortiOS6.0 or higher.  Fydelia was tested on a FortiGate 40F running FortiOS v6.4.6 build6083 (GA)
  • Admin access to your FortiGate firewall
  • At least one compatible FortiAP device connected to the LAN socket of your FortiGate firewall.  In this example we’re using a FortiAP231F.  No direct AP configuration is required

CREATE AN SSID

Under “WiFi & Switch Controller” click SSIDs

mceclip0.png

Click Create New -> SSID

mceclip1.png

SSID and DHCP

Enter a name for your SSID (you will enter the actual broadcast network name further down)

Also enter your desired IP range for guest devices and enable DHCP:

mceclip2.png

WIRELESS NETWORK SETTINGS

Pay attention to these steps, as the captive redirect will not work without them

1) SSID Name

Under WiFi Settings enter an SSD Name, such as “Fydelia Test”

mceclip3.png

2) Security Mode

Under Security Mode, choose “Captive Portal”, then “External”.

You will need to copy/paste in your full Fydelia splash page URL:

mceclip4.png

As you can see, after login we will redirect the guest to https://google.com

3) User Groups

You must assign a user group.  We will just assign it to the default guest group related to the firewall

mceclip5.png

4) Exempt Destinations/Services

This step ensures that guests are allowed out to the Fydelia.com splash page even though they’re not yet connected to the internet.  This is, effectively, the pre-authentication walled garden setting:

Click the + button:

mceclip6.png

Click CREATE

mceclip7.png

Choose Address

mceclip8.png

Enter a name, Choose FQDN and enter “ondemand.fydelia.com” mceclip9.png

Click OK and Click your newly created entry:

mceclip10.png

Click OK at the bottom of the screen to save your settings.

WiFi Policy

It’s likely you already have this set up, but during testing we found that we had to add a policy to route WiFi traffic to the WAN, in order to gain internet access from the AP.  

If you do not have a policy set up, create one that links your new SSID to WAN:

mceclip11.png

You’re all set.  Client devices can now authenticate via your Fydelia guest splash page.

Table of Contents