Fortinet

Follow

Purpose

This guide shows how to configure a Fortinet Access Controller.

Please note that the images contained in this article may contain outdated configuration data. Therefore, please check the data contained in the article "Parameters for the Solution" at the bottom of the page, as they are certainly up to date.



Prerequisites

The configuration procedure has been performed and tested on FortiNet FortiWiFi 60D Access Controller running firmware FGT_60D-v5-build1117 and Access Point FAP-221B running firmware FAP_221B-v5-build0354.

This guide will apply to the Access Controllers, Access Points and firmware version mentioned above. Later firmware versions should also work.
Other configurations have not been tested yet and currently we don’t have any information whether they can be integrated with Cloud4Wi or not.

Before integrating the controller with Volare, please make sure that the Access Controller is connected to the Internet and reachable on the network.

Logging to the Access Controller

As default the Access Controller have the following ip address: 192.168.1.99. You can manage and configure the FortiWiFi by ssh or by web opening a web browser and visit the following url: http://192.168.1.99 and login as admin user without password.

 

Adding the RADIUS server

Go to User & Device > Authentication > RADIUS Servers. Define the connection to the RADIUS server.

  • Name: myRadius
  • Primary Server IP: 54.247.117.188
  • Prim. Server Secret: provided by C4W
  • Secondary Server IP: 79.125.111.180
  • Sec. Server Secret: provided by C4W

01_radius_server.png

Go to User & Device > User > User Groups. Define a firewall user group with the RADIUS server as its only member. Click Create New button, select the radius server previously created and click OK.

02_radius_serv_user_group.png

03_Add_Group_match.png

 

Enable HTTPS authentication and Radius Accounting

Go to Dashboard. Use the CLI console to enable use of HTTPS for authentication so that user credentials arecommunicated securely.

04_Click_on_CLI_console.png

Launch the following commands:

config user settings
set auth-secure-http enable
end

05_CLI_with_commands.png

Create the WiFi network

Go to WiFi Controller > WiFi Network > SSID to create the WiFi SSID.

06_Create_new_ssid.png

Enter the following:

  • Interface Name: APSSID
  • Type: WiFi SSID
  • Traffic Mode: Tunnel to Wireless Controller
  • IP/Network Mask: 192.168.20.1 / 255.255.255.0
  • Restrict Access: RADIUS Accounting

07_New_interface_SSID.png

Configure external captive portal security. Do not include “http://” or “https://” in the captive portal URL.

  • SSID: C4W-Fortinet
  • Security Mode: Captive Portal
  • Portal Type: Authentication
  • Authentication Portal (External enabled): splashportal.cloud4wi.com
  • User Groups: extRadius
  • Redirect after Captive Portal (Specific URL enabled): https://splashportal.cloud4wi.com

Click on button OK to save.

08_SSID_WiFi_settings.png

 

Create policies for captive portal and unauthenticated users

Go to Policy & Objects > Objects > Addresses.

09_Create_new_address.png

Create an address for the captive portal.

  • Name: ecp
  • Type: IP/Netmask
  • Subnet / IP Range: 54.247.177.188
  • Interface: wan1

Click OK to save.

10_Policy_Address_ecp.png

Go to Policy & Objects > Policy > IPv4. Create a security policy for unauthenticated users that allows access only to the captive portal.

  • Name: Unauth-Users
  • Incoming Interface: C4W-Fortinet (APSSID)
  • Outgoing Interface: wan1
  • Source: all
  • Destination Address: ecp
  • Schedule: always
  • Service: ALL
  • Action: ACCEPT

Click OK.

11_Unauth_users_policy.png

In the CLI Console, enable bypass of the captive portal so that the user can make the initial contact with the external server.
Launch the following commands:

config firewall policy
edit <policy_id>
set captive-portal-exempt enable
end

Obtain <policy_id> from ID column of the policy list (Policy & Objects > Policy > IPv4).

 

Create the Internet access security policy

Go to Policy & Objects > Policy > Addresses.

12_Create_new_address.png

Create a policy for the SSID created previously.

Name: fortinet-C4W-net
Type: IP/Netmask
Subnet / IP Range: 192.168.20.0 / 255.255.255.0
Interface: any

Click OK to save.

13_New_Address_SSID_Network.png

Go to Policy & Objects > Policy > IPv4. Create a policy to allow authenticated users access to the Internet.

  • Name: Auth_Users
  • Incoming Interface: C4W-Fortinet
  • Outgoing Interface: wan1
  • Source: fortinet-C4W-net
                extRadius
  • Destination Address: all
  • Schedule: always
  • Service: ALL
  • Action: ACCEPT

Leave others parameters as default.

Click OK to save.

14_New_Auth_Users_pol_ip_to_www.png

 

Connect and authorize the FortiAP

Go to System > Network > Interface. Edit an unused interface, making it Dedicated to Extension Device. Connect the FortiAP to this interface and apply power. Go to WiFi Controller > Managed Devices > Managed FortiAPs.

15_Inteface_AP_Address_Restrict_Access.png

Select and authorize the FortiAP.

  • Physical Interface Members: AP iface
  • Role: LAN
  • Admin Access: HTTPS, HTTP, FMG-Access, CAPWAP, SSH, RADIUS Accounting
  • DHCP Server: enabled
  • Starting IP: 192.168.1.100
  • End IP: 192.168.1.254
  • Netmask: 255.255.255.0

Click OK to save.

16_Interface_AP_DHCP_server.png

Go to WiFi Controller > WiFi Network > FortiAP Profiles. Edit the default profile for your FortiAP model. Enable your SSID for each radio.

  • Radio Mode: Access Point
  • Select SSIDs: C4W-Fortinet

Click OK to save.

17_APProfile_SAVE.png

 

Enter policy to enable Social Login

To enable the Social Login it’s mandatory to configure some rules, on the Controller, to open some specific domain on the walled garden. In this guide will enable LinkedIn Login as example. For the complete list of the web sites/domain please check the next paragraph (Web sites/domain list for social login).

Go to Policy & Objects > Objects > Addresses. Create an address for social login.

  • Name: api.linkedin.com
  • Type: FQDN
  • FQDN: api.linkedin.com
  • Interface: any

Click OK to save.

18_Create_new_address.png

19_New_Addr_social.png

To group address previously created, add a new Address Group.

  • Name: Linkedin Login
  • Members: api.linkedin.com,
                   licdn.com,
                   linkedin.com
                   static.licdn.com

Click OK to save.

20_Address_group.png


    
Go to Policy & Objects > Policy > IPv4.

21_Unauth_Users_policy_Edit.png

Edit the Unauth-Users Policy previously created and add Linkedin Address Group.

  • Destination Address: ecp, Linkedin

Click OK to save.

22_UnauthUser_Add_Linkedin.png

 

Web sites/domain list for Social Login

In order to configure “Walled Garden” for social network, create access-rule for application in access policy. For this example, create access-rule with criteria to match domain-name of corresponding social website. Depending on customer location different domain and sub-domain need to be added under access rule.

You can learn more about that by reading the following articles:

Entering the device to the Volare platform

For Fortinet devices, the Volare platform requires only the MAC address and the Identifier field is not required.

 

Parameters for the Solution

Add the radius server

Configure the radius server

  • Name: myRadius
  • Primary Server IP/Name: 54.247.117.188
  • Primary Server Secret: (it will be communicated by Cloud4Wi)
  • Secondary Server IP/Name: 79.125.111.180
  • Secondary Server Secret: (it will be communicated by Cloud4Wi)

Define a firewall user group and link to radius

  • Name: extRadius
  • Type: Firewall
  • Groups: myRadius

 

Enable HTTPS authentication

Execute the following commands by CLI Console to enable HTTPS Authentication

config user settings
set auth-secure-http enable
end

 

Create the WiFi network

Create new interface

  • Interface Name: APSSID
  • Type: WiFi SSID
  • Traffic Mode: Tunnel to Wireless Controller
  • IP/Network Mask: 192.168.20.1 / 255.255.255.0
  • Restrict Access: RADIUS Accounting

WiFi Settings

  • SSID: C4W-Fortinet
  • Security Mode: Captive Portal
  • Portal Type: Authentication
  • Authentication Portal (External enabled): splashportal.cloud4wi.com
  • User Groups: extRadius
  • Redirect after Captive Portal (Specific URL enabled): https://splashportal.cloud4wi.com

 

Create policies for captive portal and unauthenticated users

Captive portal policy

  • Name: ecp
  • Type: IP/Netmask
  • Subnet / IP Range: 54.247.177.188
  • Interface: wan1

Unauthenticated users policy

  • Name: Unauth-Users
  • Incoming Interface: C4W-Fortinet (APSSID)
  • Outgoing Interface: wan1
  • Source: all
  • Destination Address: ecp
  • Schedule: always
  • Service: ALL
  • Action: ACCEPT

Enable bypass of the captive portal (by CLI)

config firewall policy
edit <policy_id>
set captive-portal-exempt enable
end

 

Create the Internet access security policy

Policy for SSID network created previously.

  • Name: fortinet-C4W-net
  • Type: IP/Netmask
  • Subnet / IP Range: 192.168.20.0 / 255.255.255.0
  • Interface: any

Policy to allow authenticated users to navigate in internet

  • Name: Auth_Users
  • Incoming Interface: C4W-Fortinet(APSSID)
  • Outgoing Interface: wan1
  • Source: fortinet-C4W-net
                extRadius
  • Destination Address: all
  • Schedule: always
  • Service: ALL
  • Action: ACCEPT

 

Connect and authorize the FortiAP

Configure APs Profile

  • Role: LAN
  • Admin Access: HTTPS, HTTP, FMG-Access, CAPWAP, SSH, RADIUS Accounting
  • DHCP Server: enabled
  • Starting IP: 192.168.1.100
  • End IP: 192.168.1.254
  • Netmask: 255.255.255.0

Enable Radio and associate to a SSID

  • Radio Mode: Access Point
  • Select SSIDs: C4W-Fortinet

 

Enter policy to enable Social Login (LinkedIn Login)

LinkedIn Login (Group Address)

  • Name: Linkedin Login
  • Members: api.linkedin.com,
                   licdn.com,
                   linkedin.com
                   static.licdn.com
Have more questions? Submit a request

Comments