This guide shows how to configure Cloud4Wi on FortiGate (physical or VLAN interface) if you have Access Points from another WiFi vendor or if you want to enable Captive Portal also for wired users.
To ensure a proper user experience, you have to upload a trusted valid certificate into the controller.
Create the Cloud4Wi RADIUS Servers
Go to your FortiGate administration interface.
Go to User & Device → RADIUS Servers → Create New :
- Name: Cloud4Wi_Radius_Srv
- Authentication Method: Default
- IP/Name: 54.247.117.188
- Secondary IP Radius IP: 79.125.111.180
- Secret: communicated by Cloud4Wi
- Click Save
Go to User & Device → User Groups → Create New:
- Name: Cloud4wi_Radius_group
- Type: Firewall
- Remote Groups: Add Cloud4Wi_Radius_Srv
- Click Save
Enable Captive Portal in FortiGate interface
If you want to enable the Captive Portal for your wireless and/or wired users and you don’t have FortiAP you can enable the Captive Portal directly on a physical interface.
Note: Because the captive portal feature is enabled for all the traffic of a specific interface, we recommend having a dedicated interface (physical or VLAN) for the Guest network.
Go to Networks → Interfaces → Edit the Guest interface.
Then go to the Network Section of the interface and enable Security Mode:
- Security Mode: Captive Portal
- Authentication Portal: External
- Set Accounting and HTTPS
- URL: https://splashportal.cloud4wi.com/
- User Access: Restricted to Groups: Cloud4wi_Radius_group
- Exempt Destinations: Create a FQDN Object for *.cloud4wi.com
- Redirect After Captive Portal: https://splashportal.cloud4wi.com/
- Click Save
Configure the security policy
To finalize the configuration, you have to create security rules to allow unauthenticated users to access the Captive Portal.
Go to Policy & Objects → IPv4 Policy and create the below rules in the same order:
Rules for unauthenticated users:
Name |
Source |
Destination |
Service |
NAT |
Action |
---|---|---|---|---|---|
DNS |
Guest Interface |
DNS Services |
DNS |
TBD |
Accept |
Walled Garden |
Guest Interface |
FQDN_Cloud4Wi |
HTTPS* |
Yes |
Accept |
It is necessary to enable UDP traffic for ports 1812 and 1813.
Once these rules are created, right click on each rule and select “Edit in CLI” and copy/paste the following commands in order to bypass the Captive Portal authentication for the above rules.
set captive-portal-exempt enable
end
Rules for authenticated users:
Name |
Source |
Destination |
Service |
NAT |
Action |
Allow-Guest |
Guest Interface |
Outside interface |
ALL |
Yes |
Accept |
Guest-Deny-All (Optional*) |
Guest Interface |
RFC1918: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 |
ALL |
No |
Deny |
*The explicit deny rule is optional if your FortiGate Implicit Rule is already configured to deny all the traffic.
It could also be necessary to enable RADIUS Accounting via CLI using the following commands:
config user radius
edit "RADIUS_CLOUD4WI"
set server "54.247.117.188"
set secret <secret communicated by Cloud4Wi>
set radius-coa enable
set acct-all-servers enable
set secondary-server "79.125.111.180"
set secondary-secret <secret communicated by Cloud4Wi>
config accounting-server
edit 1
set status enable
set server "54.247.117.188"
set secret <secret communicated by Cloud4Wi>
next
edit 2
set status enable
set server "79.125.111.180"
set secret <secret communicated by Cloud4Wi>
next
end
next
end
Entering the device detail into the Cloud4Wi Dashboard
Each Fortigate Firewall must be added to the Cloud4Wi Dashboard by entering the MAC Address of the physical port where the Captive Portal is configured.