- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: External Captive portal with Forti OS 5.2
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
External Captive portal with Forti OS 5.2
Hi Folks,
I am new in this forum and not sure if this is the correct board to post this.
I saw in FortiOS 5.2 release note, that its support external captive portal. Have any one implement this feature with good success.
Need some suggestion on this.
SumaN@boystown
Labels:
- Labels:
-
5.2
31 REPLIES 31
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SumaN@boystown wrote:OK,
My external Captive portal server and and authentication server both are external and hosted by same server. lets say SERVER-1.
So for this scenario guest will get redirect to external page [hosted in SERVER-1] and after that guest will fill up credential field to get access, which will be check against the external server SERVER-1.
So in this case how guest auth req will go to SERVER-1 and what will the protocol for that?
How fortinet will comes to know that the guest has completed authentication?
Hi
who is checking the credentials in your scenario? Does SERVER-1 test your input against a Database? After you filled up your form, you have to post it back to your Fortigate with the following method, mentioned by Jeff: http://FGTIP:1000/fgtauth&magic=<sessionid>&username=<username>&password=<password>. With this data, the fortigate checks the credentials against the different authentication-sources (Radius, local User....). If the credentials are correct, fortigate authenticates the user (can be seen on the Firewall in the User Monitor) an from now, all policies with the user in it are valid. So the fortigate nows when the authentication is complete because of the fact, that the Fortigate makes the authentication and not the external portal server. External server can hold for example a Radius, but the Radius-Request comes from the Fortigate. So the Portal-Server is only a "GUI" with less logic.
I hope this helps a little bit. I have a picture of the data flow between the different devices from fortinet but I don't know, if I may post it here.
Greets
Marcel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://forum.fortinet.com/tm.aspx?m=112063
I too asked the exactly same question before .
How Fortigate knows whether the authentication has been successfully validated?
I have done the testing the with one of our user portal ( It uses local MS-SQL Database).
The first part was perfect. When I open a new browser page I got the external server page for the authentication.
But , even without entering the correct credentials I got the access to surf the internet. Ie, Fortigate doesn't know whether the external portal has successfully validated the credentials or not..!!
It would be great solution if we can successfully integrate the external captive portal.
I can enforce end user to Login to their "Company Portal" to get authenticated to connect the network..!
Thanks
Nihas
Nihas [\b]
Nihas [\b]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Waiting for someone from Foritnet to reply :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Marcel Sueess ,
I think I got some idea.
Let me explain my scenario briefly.
1.Fortinet is broadcastin one captive SSID.
2. that SSID is linked to a external page which is stored in SERVER-1.
3.Guest credential is also stored in the same server.
So when guest user connect to the ssid and try to browse something, that user will redirect to that external CP page stored in
SERVER-1,
After that guest user has to give credential on that web page.
In the back end SERVER-1 listen to the credential and checks against local database of itself.
If user pass the authentication, SERVER-1 returns a auth success message to the controller.
If user does not pass the auth then SERVER-1 returns a auth reject message to the controller.
Based on message coming from SERVER-1 frotinet should make discussion on the user [authenticated/ rejected ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Suman
In your case the problem is, that the external server makes the check of the credential. In this case the only way I know get it to work is, if the external server would send Radius Accounting message to fortigate and fortigate listen to these Radius-Accounting messages. This is known by Fortigate under the name RSSO (Radius Single Sign On). The normal case with the external portal server is, that the Fortigate has to make the credential-check itself.
I could send you the image with the data flow or someone from Fortinet gives me the right to post the image from a Fortinet presentation from Eric Moque about "External L3 captive Portal".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can upload the flow in google drive or box and share the link with me.
It will be great if you do .
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
i cant access to my external captive portal , in my case http://192.168.11.20/auth/register ( Authentification ) ..
i have create a policy to allow access from all to this address ( 192.168.11.20) but didnt work.
the ( exempt list ) option , is to allow full access for users or addresses not to allow only access for my fortiauthenticator without authentification .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello i cant access to my external captive portal , in my case http://192.168.11.20/auth/register ( FortiAuthenticator ) .. i have create a policy to allow access from all to this address ( 192.168.11.20) but didnt work. the ( exempt list ) option , is to allow full access for users or addresses not to allow only access for my fortiauthenticator without authentification .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Im configuring a Fortigate100D with an external captive portal and external Radius server (test connection successful).
Currently the users are been redirect to the external captive portal, but I’m having troubles to receive the users and password information back to the fortigate to them authenticate it with the radius.
I found the information is sending via: https://<FGT_IP>:1000/fgtauth with data magic=session_id&username=<username>&password=<password>. But I can’t receive the info.
I have tried to access different ways the port 1000 and 1003, and via the browser to the fortigate with no connection ( https://192.168.1.2:1000/fgtauth orhttps://192.168.1.2:1003/fgtauth)
Does anyone know how to open this ports on the fortigate or how to debug the connections of the captive portal users? I have already set auth-keepalive enable with no result
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I'm also testing with the external captive portal and it is working for me. I didn't open any port on the fortigate and didn't set any special configuration. On my Fortigate (VM 5.4.4) it is working after I've activated the captive portal on an interface. As far as I saw, the initial received magic session id is only valid for one POST-request and a response from the Firewall is only sent, if the magic id is valid. If you try with an invalid magic id, you wouldn't get any response.
Greets
Marcel
Related Posts
- FortiAuth Error - Accessing guest portal... 110 Views
- SSO on Self-Service Portal FortiAuthenticator 138 Views
- Guest wi-fi with e-mail verification 179 Views
- UniFi Controller SSID with FortiGate Captive... 505 Views
- Fortigate cloud subscription 246 Views
Labels
-
FortiGate
6,530 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.