Purpose
This guide shows how to configure a Fortinet Fortigate with FortiOS v5.6 or above.
Please note that the images contained in this article may contain outdated configuration data. Therefore, please check the data contained in the article "Parameters for the Solution" at the bottom of the page, as they are certainly up to date.
Prerequisites
The configuration procedure has been performed and tested on FortiNet FortiWiFi 60D Access Controller running firmware FGT_60D-v5-build1117 and Access Point FAP-221B running firmware FAP_221B-v5-build0354.
FortiWiFi and FortiGate configuration are the same.
This guide will apply to the Access Controllers, Access Points and firmware version mentioned above. Later firmware versions should also work.
Other configurations have not been tested yet and currently, we don’t know if they're supported by Cloud4Wi or not.
Before integrating the controller with Cloud4Wi, please make sure that the FortiGate is connected to the Internet and reachable on the network.
Logging to the Access Controller
By default, the Access Controller has the following IP address: 192.168.1.99.
You can manage and configure the FortiGte by establishing an SSH connection or by opening the following URL: http://192.168.1.99 via a web browser and logging in as the admin user, without any password.
Adding the RADIUS server
You can use the following script (note: the shared secret is hidden here)
config user radius
edit "RADIUS_CLOUD4WI"
set server "54.247.117.188"
set secret ENC <SHARED SECRET HIDDEN HERE>
set radius-coa enable
set acct-all-servers enable
set secondary-server "79.125.111.180"
set secondary-secret ENC <SHARED SECRET HIDDEN HERE>
config accounting-server
edit 1
set status enable
set server "54.247.117.188"
set secret ENC <SHARED SECRET HIDDEN HERE>
edit 2
set status enable
set server "79.125.111.180"
set secret ENC <SHARED SECRET HIDDEN HERE>
next
end
next
end
Then, go to User & Device > User > User Groups.
Define a firewall user group with the RADIUS server as its only member. Click Create New button, enter a Name for the rule (e.g. "extRadius"), and select Firewall as Type option.
Under Remote groups click Create New and under Remote Server choose the radius server previously created ("myRadius" in the example). Click OK to Save.
Enable HTTPS authentication and Radius Accounting
Go to Dashboard. Use the CLI console to enable HTTPS for authentication, so that user credentials are communicated securely.
Launch the following commands:
config user settings
set auth-secure-http enable
end
Create the WiFi network
Go to WiFi Controller > WiFi Network > SSID to create the WiFi SSID.
Enter the following:
- Interface Name: APSSID
- Type: WiFi SSID
- Traffic Mode: Tunnel to Wireless Controller
- IP/Network Mask: 192.168.20.1 / 255.255.255.0
- Restrict Access: RADIUS Accounting
Configure external captive portal security.
- SSID: C4W-Fortinet (or whatever you whish)
- Security Mode: Captive Portal
- Portal Type: Authentication
- Authentication Portal: External splashportal.cloud4wi.com (Do not include “http://” or “https://” in the captive portal URL.)
- User Groups: extRadius
- Redirect after Captive Portal (Specific URL enabled): https://splashportal.cloud4wi.com
Click OK to save.
Create policies for the captive portal and unauthenticated users
Go to Policy & Objects > Addresses.
Create an address for the captive portal.
- Name: ecp
- Type: IP/Netmask
- Subnet / IP Range: 54.247.177.188
- Interface: wan1 (your WAN connection)
Click OK to save.
Go to Policy & Objects > Policy > IPv4. Create a security policy for unauthenticated users that allows access only to the captive portal.
- Name: Unauth-Users
- Incoming Interface: C4W-Fortinet (APSSID)
- Outgoing Interface: wan1 (your WAN connection)
- Source: all
- Destination Address: ecp
- Schedule: always
- Service: ALL
- Action: ACCEPT
- Enable this policy: Enabled
Click OK.
In the CLI Console, enable bypass of the captive portal so that the user can make the initial contact with the external server.
Launch the following commands:
config firewall policy
edit <policy_id>
set captive-portal-exempt enable
end
Obtain <policy_id> from ID column of the policy list (Policy & Objects > Policy > IPv4).
Create your Internet access security policy
Go to Policy & Objects > Policy > Addresses.
Create a policy for the SSID created previously.
Name: fortinet-C4W-net
Type: IP/Netmask
Subnet / IP Range: 192.168.20.0 / 255.255.255.0
Interface: any
Click OK to save.
Go to Policy & Objects > Policy > IPv4. Create a policy to allow authenticated users access to the Internet.
- Name: Auth_Users
- Incoming Interface: C4W-Fortinet
- Outgoing Interface: wan1
- Source: fortinet-C4W-net
extRadius - Destination Address: all
- Schedule: always
- Service: ALL
- Action: ACCEPT
Leave others parameters as default.
Click OK to save.
Connect and authorize the FortiAP
Go to System > Network > Interface. Edit an unused interface, making it Dedicated to Extension Device. Connect the FortiAP to this interface and apply power. Go to WiFi Controller > Managed Devices > Managed FortiAPs.
Select and authorize the FortiAP.
- Physical Interface Members: AP iface
- Role: LAN
- Admin Access: HTTPS, HTTP, FMG-Access, CAPWAP, SSH, RADIUS Accounting
- DHCP Server: enabled
- Starting IP: 192.168.1.100
- End IP: 192.168.1.254
- Netmask: 255.255.255.0
Click OK to save.
Go to WiFi Controller > WiFi Network > FortiAP Profiles. Edit the default profile for your FortiAP model. Enable your SSID for each radio.
- Radio Mode: Access Point
- Select SSIDs: C4W-Fortinet
Click OK to save.
Enter your policy to enable Social Login
To enable the Social Login it’s mandatory to configure some rules, on the Controller, to open some specific domain on the walled garden. In this guide will enable LinkedIn Login to give you an example.
For the complete list of the websites/domain please check the next paragraph (Websites/domain list for social login).
Go to Policy & Objects > Objects > Addresses. Create an address for social login.
- Name: api.linkedin.com
- Type: FQDN
- FQDN: api.linkedin.com
- Interface: any
Click OK to save.
To group address previously created, add a new Address Group.
- Name: Linkedin Login
- Members: api.linkedin.com,
licdn.com,
linkedin.com
static.licdn.com
Click OK to save.
Go to Policy & Objects > Policy > IPv4.
Edit the Unauth-Users Policy previously created and add Linkedin Address Group.
- Destination Address: ecp, Linkedin
Click OK to save.
Walled garden
Based on the example above, you can create specific access-rules in order to allow unauthenticated users to enter specific domains.
When configuring the walled garden, you are required to add the following domain: cloud4wi.com. This allows you a proper redirection to the Splash Page and enables the access to the CDN.
For some specific use cases, you may be interested in the following articles:
- Walled garden for the Social Login (websites/domains to open)
- Walled garden for PayPal feature (websites/domains to open)
Entering the device details into the Admin Panel
For Fortinet devices, Cloud4Wi requires only the MAC address and the Identifier field is not required.
Parameters for the Solution
Add the radius server
Configure the radius server
- Name: myRadius
- Primary Server IP/Name: 54.247.117.188
- Primary Server Secret: (it will be communicated by Cloud4Wi)
- Secondary Server IP/Name: 79.125.111.180
- Secondary Server Secret: (it will be communicated by Cloud4Wi)
Define a firewall user group and link to radius
- Name: extRadius
- Type: Firewall
- Groups: myRadius
Enable HTTPS authentication
Execute the following commands by CLI Console to enable HTTPS Authentication
config user settings
set auth-secure-http enable
end
Create the WiFi network
Create a new interface
- Interface Name: APSSID
- Type: WiFi SSID
- Traffic Mode: Tunnel to Wireless Controller
- IP/Network Mask: 192.168.20.1 / 255.255.255.0
- Restrict Access: RADIUS Accounting
WiFi Settings
- SSID: C4W-Fortinet
- Security Mode: Captive Portal
- Portal Type: Authentication
- Authentication Portal (External enabled): splashportal.cloud4wi.com
- User Groups: extRadius
- Redirect after Captive Portal (Specific URL enabled): https://splashportal.cloud4wi.com
Create policies for captive portal and unauthenticated users
Captive portal policy
- Name: ecp
- Type: IP/Netmask
- Subnet / IP Range: 54.247.177.188
- Interface: wan1
Unauthenticated users policy
- Name: Unauth-Users
- Incoming Interface: C4W-Fortinet (APSSID)
- Outgoing Interface: wan1
- Source: all
- Destination Address: ecp
- Schedule: always
- Service: ALL
- Action: ACCEPT
Enable bypass of the captive portal (by CLI)
config firewall policy
edit <policy_id>
set captive-portal-exempt enable
end
Create your Internet access security policy
Policy for SSID network created previously.
- Name: fortinet-C4W-net
- Type: IP/Netmask
- Subnet / IP Range: 192.168.20.0 / 255.255.255.0
- Interface: any
Policy to allow authenticated users to go to the Internet
- Name: Auth_Users
- Incoming Interface: C4W-Fortinet(APSSID)
- Outgoing Interface: wan1
- Source: fortinet-C4W-net
extRadius - Destination Address: all
- Schedule: always
- Service: ALL
- Action: ACCEPT
Connect and authorize the FortiAP
Configure APs Profile
- Role: LAN
- Admin Access: HTTPS, HTTP, FMG-Access, CAPWAP, SSH, RADIUS Accounting
- DHCP Server: enabled
- Starting IP: 192.168.1.100
- End IP: 192.168.1.254
- Netmask: 255.255.255.0
Enable Radio and associate to an SSID
- Radio Mode: Access Point
- Select SSIDs: C4W-Fortinet
Enter policy to enable Social Login (LinkedIn Login)
LinkedIn Login (Group Address)
- Name: Linkedin Login
- Members: api.linkedin.com,
licdn.com,
linkedin.com
static.licdn.com