This guide shows how to configure Cloud4Wi on FortiGate (physical or VLAN interface) if you have Access Points from another WiFi vendor or if you want to enable Captive Portal also for wired users.
To ensure a proper user experience, you have to upload a trusted valid certificate into the controller.
Create the Cloud4Wi RADIUS Servers
Go to your FortiGate administration interface.
Go to User & Device → RADIUS Servers → Create New :
-
- Name: Cloud4Wi_Radius_Srv
- Authentication Method: Default
- IP/Name: 54.216.93.188
- Secondary IP Radius IP: 34.249.131.154
- Ports: Custom Port (Check Dashboard)
- Secret: Custom Secret (Check Dashboard)
- Click Save
Go to User & Device → User Groups → Create New:
-
- Name: Cloud4wi_Radius_group
- Type: Firewall
- Remote Groups: Add Cloud4Wi_Radius_Srv
- Click Save
Enable Captive Portal in FortiGate interface
If you want to enable the Captive Portal for your wireless and/or wired users and you don’t have FortiAP you can enable the Captive Portal directly on a physical interface.
Note: Because the captive portal feature is enabled for all the traffic of a specific interface, we recommend having a dedicated interface (physical or VLAN) for the Guest network.
Go to Networks → Interfaces → Edit the Guest interface.
Then go to the Network Section of the interface and enable Security Mode:
-
- Security Mode: Captive Portal
- Authentication Portal: External
- Set Accounting and HTTPS
- URL: https://splashportal.cloud4wi.com/
- User Access: Restricted to Groups: Cloud4wi_Radius_group
- Exempt Destinations: Create a FQDN Object for *.cloud4wi.com
- Redirect After Captive Portal: https://splashportal.cloud4wi.com/
- Click Save
Configure the security policy
To finalize the configuration, you have to create security rules to allow unauthenticated users to access the Captive Portal.
Go to Policy & Objects → IPv4 Policy and create the below rules in the same order:
Rules for unauthenticated users:
| Name | Source | Destination | Service | NAT | Action |
|---|---|---|---|---|---|
| DNS | Guest Interface | DNS Services | DNS | TBD | Accept |
| Walled Garden | Guest Interface | FQDN_Cloud4Wi | HTTPS* | Yes | Accept |
It is necessary to enable UDP traffic for ports 1812 and 1813.
Once these rules are created, right click on each rule and select “Edit in CLI” and copy/paste the following commands in order to bypass the Captive Portal authentication for the above rules.
set captive-portal-exempt enable
end
Rules for authenticated users:
| Name | Source | Destination | Service | NAT | Action |
| Allow-Guest | Guest Interface | Outside interface | ALL | Yes | Accept |
| Guest-Deny-All (Optional*) | Guest Interface | RFC1918: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 | ALL | No | Deny |
*The explicit deny rule is optional if your FortiGate Implicit Rule is already configured to deny all the traffic.
It could also be necessary to enable RADIUS Accounting via CLI using the following commands:
config user radius
edit "RADIUS_CLOUD4WI"
set server "54.216.93.188"
set secret Custom Port (Check Dashboard)
set radius-coa enable
set acct-all-servers enable
set secondary-server "34.249.131.154"
set secondary-secret Custom Port (Check Dashboard)
config accounting-server
edit 1
set status enable
set server "54.216.93.188"
set secret Custom Port (Check Dashboard)
next
edit 2
set status enable
set server "34.249.131.154"
set secret Custom Port (Check Dashboard)
next
end
next
end
Parameters for the Solution
Intro to WiFi network configuration
Entering the device detail into the Cloud4Wi Dashboard
Each Fortigate Firewall must be added to the Cloud4Wi Dashboard by entering the MAC Address of the physical port where the Captive Portal is configured.
How to install a custom Certificate SSL on your FortiGate firewall to avoid HTTPS warnings
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Your Guest SSID/Subnet should already be configured to apply the following procedure.
- A dedicated SSL certificate has to be issued
1. Install the public certificate
Go to System > Certificate > Create/Import > Certificate > Import Certificate > Certificate:
- Add the certificate file
- Add the private key file
- Provide a password to protect your certificate (for instance: cloud4wi)
- Provide a Name for this object
Then select this certificate and click Apply.
Please note that you need to also import the intermediate certificate(s).
Go to System > Certificate > Create/Import > CA Certificate and add the certificate file
Then click on "OK"
2. Enable HTTPS Redirection
Connect to the Fortigate GUI, open the CLI console and run the following commands:
config user setting
set auth-secure-http enable
set auth-cert "your certificate_name"
end
3. Configure an FQDN for your FortiGate
Connect to the Fortigate GUI > Policy & Objects > Addresses > Create New Address
- Name
- Interface: any
- Type: FQDN
- FQDN (for instance guest.cloud4wi.com)
This will result in the guest user being redirected to this FQDN instead of the Fortigate IP Address.
This also implies that you must provide/purchase a public certificate for this FQDN to avoid a certificate warning on the guest’s device.
Then, connect to the Fortigate GUI, open the CLI console and run the following commands:
config firewall auth-portal
set portal-addr "your_fqdn"
end
Then, go to "User & Authentication > Authentication Settings"
- Captive portal type: FQDN
- Captive portal (Enabled): select your FQDN
- Authenticated timeout: 5 minutes
- Protocol support: HTTP, HTTPS
- HTTP redirect: Enabled
- Certificate: select the certificate imported in Step 1
4. Local DNS Record
Go to Network > DNS Servers to configure the DNS database server with static DNS entries.
You may need to activate the feature in:
System > Feature Visibility > Additional Features > DNS Database.
First, create DNS Service on Interface
- Interface: interface where the guest users will be connecting
- Mode: Recursive
Then, create a DNS Database
DNZ Zone
- DNS Zone: name one your Zone
- Domaine name: domain of FQDN configured in Step 3 : Configure an FQDN for your FortiGate
- Hostname of Primary DNS: dns
Within this DNS database, create the DNS static entry as shown below
- Type: Address (A)
- Hostname (for instance guest.cloud4wi.com)
- IP Address: IP of internal interface where the guest users will be connecting
Save the settings in DNS
The next step is to edit your DHCP configuration on the Guest interface. You can choose between the IP address of your interface or specify a public IP address
The users behind this Guest SSID will get IP from this DHCP range and will be able to resolve the static DNS entry in the DNS database as below.
For instance:
nslookup guest.cloud4wi.com
Server: Unknown
Address: 192.168.28.1