Purpose
This guide shows how to configure a Fortinet Fortigate with FortiOS v5.6 or above.
Please note that the images contained in this article may contain outdated configuration data. Therefore, please check the data contained in the article "Parameters for the Solution" at the bottom of the page, as they are certainly up to date.
Prerequisites
The configuration procedure has been performed and tested on FortiNet FortiWiFi 60D Access Controller running firmware FGT_60D-v5-build1117 and Access Point FAP-221B running firmware FAP_221B-v5-build0354.
FortiWiFi and FortiGate configuration are the same.
This guide will apply to the Access Controllers, Access Points and firmware version mentioned above. Later firmware versions should also work.
Other configurations have not been tested yet and currently, we don’t know if they're supported by Cloud4Wi or not.
Before integrating the controller with Cloud4Wi, please make sure that the FortiGate is connected to the Internet and reachable on the network.
Important: To prevent certificate errors, it is necessary to install a trusted certificate on the controller. You can find the step-by-step instructions for setting up a trusted certificate on FortiGate at the bottom of this guide."
Logging to the Access Controller
By default, the Access Controller has the following IP address: 192.168.1.99.
You can manage and configure the FortiGte by establishing an SSH connection or by opening the following URL: http://192.168.1.99 via a web browser and logging in as the admin user, without any password.
Adding the RADIUS server
You can use the following script (note: the shared secret is hidden here)
config user radius
edit "RADIUS_CLOUD4WI"
set server "54.216.93.188"
set secret ENC <SHARED SECRET HIDDEN HERE>
set radius-coa enable
set acct-all-servers enable
set secondary-server "34.249.131.154"
set secondary-secret ENC <SHARED SECRET HIDDEN HERE>
config accounting-server
edit 1
set status enable
set server "54.216.93.188"
set secret ENC <SHARED SECRET HIDDEN HERE>
edit 2
set status enable
set server "34.249.131.154"
set secret ENC <SHARED SECRET HIDDEN HERE>
next
end
next
end
Then, go to User & Device > User > User Groups.
Define a firewall user group with the RADIUS server as its only member. Click Create New button, enter a Name for the rule (e.g. "extRadius"), and select Firewall as Type option.
Under Remote groups click Create New and under Remote Server choose the radius server previously created ("myRadius" in the example). Click OK to Save.
Enable HTTPS authentication and Radius Accounting
Go to Dashboard. Use the CLI console to enable HTTPS for authentication, so that user credentials are communicated securely.
Launch the following commands:
config user settings
set auth-secure-http enable
end
Create the WiFi network
Go to WiFi Controller > WiFi Network > SSID to create the WiFi SSID.
Enter the following:
- Interface Name: APSSID
- Type: WiFi SSID
- Traffic Mode: Tunnel to Wireless Controller
- IP/Network Mask: 192.168.20.1 / 255.255.255.0
- Restrict Access: RADIUS Accounting
Configure external captive portal security.
- SSID: C4W-Fortinet (or whatever you whish)
- Security Mode: Captive Portal
- Portal Type: Authentication
- Authentication Portal: External splashportal.cloud4wi.com (Do not include “http://” or “https://” in the captive portal URL.)
- User Groups: extRadius
- Redirect after Captive Portal (Specific URL enabled): https://splashportal.cloud4wi.com
Click OK to save.
Create policies for the captive portal and unauthenticated users
Go to Policy & Objects > Addresses.
Create an address for the captive portal.
- Name: ecp
- Type: IP/Netmask
- Subnet / IP Range: 54.247.177.188
- Interface: wan1 (your WAN connection)
Click OK to save.
Go to Policy & Objects > Policy > IPv4. Create a security policy for unauthenticated users that allows access only to the captive portal.
- Name: Unauth-Users
- Incoming Interface: C4W-Fortinet (APSSID)
- Outgoing Interface: wan1 (your WAN connection)
- Source: all
- Destination Address: ecp
- Schedule: always
- Service: ALL
- Action: ACCEPT
- Enable this policy: Enabled
Click OK.
In the CLI Console, enable bypass of the captive portal so that the user can make the initial contact with the external server.
Launch the following commands:
config firewall policy
edit <policy_id>
set captive-portal-exempt enable
endObtain <policy_id> from ID column of the policy list (Policy & Objects > Policy > IPv4).
Create your Internet access security policy
Go to Policy & Objects > Policy > Addresses.
Create a policy for the SSID created previously.
Name: fortinet-C4W-net
Type: IP/Netmask
Subnet / IP Range: 192.168.20.0 / 255.255.255.0
Interface: any
Click OK to save.
Go to Policy & Objects > Policy > IPv4. Create a policy to allow authenticated users access to the Internet.
- Name: Auth_Users
- Incoming Interface: C4W-Fortinet
- Outgoing Interface: wan1
-
Source: fortinet-C4W-net
extRadius - Destination Address: all
- Schedule: always
- Service: ALL
- Action: ACCEPT
Leave others parameters as default.
Click OK to save.
Connect and authorize the FortiAP
Go to System > Network > Interface. Edit an unused interface, making it Dedicated to Extension Device. Connect the FortiAP to this interface and apply power. Go to WiFi Controller > Managed Devices > Managed FortiAPs.
Select and authorize the FortiAP.
- Physical Interface Members: AP iface
- Role: LAN
- Admin Access: HTTPS, HTTP, FMG-Access, CAPWAP, SSH, RADIUS Accounting
- DHCP Server: enabled
- Starting IP: 192.168.1.100
- End IP: 192.168.1.254
- Netmask: 255.255.255.0
Click OK to save.
Go to WiFi Controller > WiFi Network > FortiAP Profiles. Edit the default profile for your FortiAP model. Enable your SSID for each radio.
- Radio Mode: Access Point
- Select SSIDs: C4W-Fortinet
Click OK to save.
Enter your policy to enable Social Login
To enable the Social Login it’s mandatory to configure some rules, on the Controller, to open some specific domain on the walled garden. In this guide will enable LinkedIn Login to give you an example.
For the complete list of the websites/domain please check the next paragraph (Websites/domain list for social login).
Go to Policy & Objects > Objects > Addresses. Create an address for social login.
- Name: api.linkedin.com
- Type: FQDN
- FQDN: api.linkedin.com
- Interface: any
Click OK to save.
To group address previously created, add a new Address Group.
- Name: Linkedin Login
-
Members: api.linkedin.com,
licdn.com,
linkedin.com
static.licdn.com
Click OK to save.
Go to Policy & Objects > Policy > IPv4.
Edit the Unauth-Users Policy previously created and add Linkedin Address Group.
- Destination Address: ecp, Linkedin
Click OK to save.
Walled garden
Based on the example above, you can create specific access-rules in order to allow unauthenticated users to enter specific domains.
When configuring the walled garden, you are required to add the following domain: cloud4wi.com. This allows you a proper redirection to the Splash Page and enables the access to the CDN.
For some specific use cases, you may be interested in the following articles:
- Walled garden for the Social Login (websites/domains to open)
-
Walled garden for PayPal feature (websites/domains to open)
Entering the device details into the Admin Panel
For Fortinet devices, Cloud4Wi requires only the MAC address and the Identifier field is not required.
Parameters for the Solution
Intro to WiFi network configuration
Define a firewall user group and link to radius
- Name: extRadius
- Type: Firewall
- Groups: myRadius
Enable HTTPS authentication
Execute the following commands by CLI Console to enable HTTPS Authentication
config user settings
set auth-secure-http enable
end
Create the WiFi network
Create a new interface
- Interface Name: APSSID
- Type: WiFi SSID
- Traffic Mode: Tunnel to Wireless Controller
- IP/Network Mask: 192.168.20.1 / 255.255.255.0
- Restrict Access: RADIUS Accounting
WiFi Settings
- SSID: C4W-Fortinet
- Security Mode: Captive Portal
- Portal Type: Authentication
- Authentication Portal (External enabled): splashportal.cloud4wi.com
- User Groups: extRadius
- Redirect after Captive Portal (Specific URL enabled): https://splashportal.cloud4wi.com
Create policies for captive portal and unauthenticated users
Captive portal policy
- Name: ecp
- Type: IP/Netmask
- Subnet / IP Range: 54.247.177.188
- Interface: wan1
Unauthenticated users policy
- Name: Unauth-Users
- Incoming Interface: C4W-Fortinet (APSSID)
- Outgoing Interface: wan1
- Source: all
- Destination Address: ecp
- Schedule: always
- Service: ALL
- Action: ACCEPT
Enable bypass of the captive portal (by CLI)
config firewall policy
edit <policy_id>
set captive-portal-exempt enable
end
Create your Internet access security policy
Policy for SSID network created previously.
- Name: fortinet-C4W-net
- Type: IP/Netmask
- Subnet / IP Range: 192.168.20.0 / 255.255.255.0
- Interface: any
Policy to allow authenticated users to go to the Internet
- Name: Auth_Users
- Incoming Interface: C4W-Fortinet(APSSID)
- Outgoing Interface: wan1
-
Source: fortinet-C4W-net
extRadius - Destination Address: all
- Schedule: always
- Service: ALL
- Action: ACCEPT
Connect and authorize the FortiAP
Configure APs Profile
- Role: LAN
- Admin Access: HTTPS, HTTP, FMG-Access, CAPWAP, SSH, RADIUS Accounting
- DHCP Server: enabled
- Starting IP: 192.168.1.100
- End IP: 192.168.1.254
- Netmask: 255.255.255.0
Enable Radio and associate to an SSID
- Radio Mode: Access Point
- Select SSIDs: C4W-Fortinet
Enter policy to enable Social Login (LinkedIn Login)
LinkedIn Login (Group Address)
- Name: Linkedin Login
- Members: api.linkedin.com,
licdn.com,
linkedin.com
static.licdn.com
How to install a custom Certificate SSL on your FortiGate firewall to avoid HTTPS warnings
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Your Guest SSID/Subnet should already be configured to apply the following procedure.
- A dedicated SSL certificate has to be issued
1. Install the public certificate
Go to System > Certificate > Create/Import > Certificate > Import Certificate > Certificate:
- Add the certificate file
- Add the private key file
- Provide a password to protect your certificate (for instance: cloud4wi)
- Provide a Name for this object
Then select this certificate and click Apply.
Please note that you need to also import the intermediate certificate(s).
Go to System > Certificate > Create/Import > CA Certificate and add the certificate file
Then click on "OK"
2. Enable HTTPS Redirection
Connect to the Fortigate GUI, open the CLI console and run the following commands:
config user setting
set auth-secure-http enable
set auth-cert "your certificate_name"
end
3. Configure an FQDN for your FortiGate
Connect to the Fortigate GUI > Policy & Objects > Addresses > Create New Address
- Name
- Interface: any
- Type: FQDN
- FQDN (for instance guest.cloud4wi.com)
This will result in the guest user being redirected to this FQDN instead of the Fortigate IP Address.
This also implies that you must provide/purchase a public certificate for this FQDN to avoid a certificate warning on the guest’s device.
Then, connect to the Fortigate GUI, open the CLI console and run the following commands:
config firewall auth-portal
set portal-addr "your_fqdn"
end
Then, go to "User & Authentication > Authentication Settings"
- Captive portal type: FQDN
- Captive portal (Enabled): select your FQDN
- Authenticated timeout: 5 minutes
- Protocol support: HTTP, HTTPS
- HTTP redirect: Enabled
- Certificate: select the certificate imported in Step 1
4. Local DNS Record
Go to Network > DNS Servers to configure the DNS database server with static DNS entries.
You may need to activate the feature in:
System > Feature Visibility > Additional Features > DNS Database.
First, create DNS Service on Interface
- Interface: interface where the guest users will be connecting
- Mode: Recursive
Then, create a DNS Database
DNZ Zone
- DNS Zone: name one your Zone
- Domaine name: domain of FQDN configured in Step 3 : Configure an FQDN for your FortiGate
- Hostname of Primary DNS: dns
Within this DNS database, create the DNS static entry as shown below
- Type: Address (A)
- Hostname (for instance guest.cloud4wi.com)
- IP Address: IP of internal interface where the guest users will be connecting
Save the settings in DNS
The next step is to edit your DHCP configuration on the Guest interface. You can choose between the IP address of your interface or specify a public IP address
The users behind this Guest SSID will get IP from this DHCP range and will be able to resolve the static DNS entry in the DNS database as below.
For instance:
nslookup guest.cloud4wi.com
Server: Unknown
Address: 192.168.28.1