Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SumaN1
New Contributor

External Captive portal with Forti OS 5.2

Hi Folks,

I am new in this forum and not sure if this is the correct board to post this.

I saw in FortiOS 5.2 release note, that its support external captive portal. Have any one implement this feature with good success.

Need some suggestion on this.

 

SumaN@boystown

31 REPLIES 31
Jeff_FTNT
Staff
Staff

You may set up your owns portal , here is a examples setting.

-Set up "External Captive Portal" on interface Switch like below

config system interface
edit "switch"
set vdom "vdom1"
set ip 192.168.1.89 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set security-mode captive-portal
set security-external-web "http://172.18.4.218/portal/index.php"
set security-groups "group_radius"
next
end
config firewall policy
edit 2
set srcintf "switch"
set dstintf "port9"
set srcaddr "all"
set dstaddr "web_ext_addr_switch"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set captive-portal-exempt enable
set nat enable
next
edit 4
set srcintf "switch"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end
SumaN1

Thanks for your response.

Some question pop up in my heads.

Can i push user role from external authentication server?

what is the least fortiOS version support external captive portal ?

 

Thanks

SumaN

Jeff_FTNT
Staff
Staff

<<<Can i push user role from external authentication server?

Sorry, i did not understand this question.

<<<what is the least fortiOS version support external captive portal ?

v5.2.0 GA /build0589

Marcel_Sueess
New Contributor

Hi

we are also trying to integrate an external captive-portal with a Fortigate 60D 5.2.3, but it doesn't work as expected. Are there any requirements for the external server? When i configure the external captive-portal-server as given in the answer above and try to reach the Internet, I always gets the Fortigate Disclaimer-Page an not the external portal. Is there a document with details or why does the Fortigate always brings the own captive page instead of redirecting us to the external portal?

 

Thank you very much.

Marcel Süess

Jeff_FTNT
Staff
Staff

Firstly make sure it have policy to permit reach to  external portal, it have "captive-portal-exempt enable" option on it.

FGT will send below request to external portal: [link]http://<external[/link] portal="">/?login&post=http://FGT_IP:1000/fgtauth&magic=02050f889bc21644&usermac=x:x:x:x:x:x&apmac=x:x:x:x:x:x&apip=x.x.x.x&userip=x.x.x.x

The portal has to parse the above request to retrieve the FGTIP and magic id, and then compile a form for users to input login information. The form will redirect the user's browser to send below request to FGT: [link]http://FGT[/link]IP:1000/fgtauth&magic=02050f889bc21644&username=<username>&password=<password>.

Thanks.

Marcel_Sueess

Jeff_FTNT wrote:

The form will redirect the user's browser to send below request to FGT: http://FGTIP:1000/fgtauth&magic=02050f889bc21644&username=<username>&password=<password>.

The question for secure sending back username and password Jeff told to try https. But for that, in the URL, the post-parameter shout be also https. Otherwise my Username and password is sent back tu Fortigate in cleartext although my external captive portal-server is using https, doesn't it?

 

Thanks for make this clear.

Marcel_Sueess
New Contributor

Thank you very much for the answer. We will try this. Does the external captive-portal only work for wireless-lan via SSIDs or can it also be used for physical wired network interfaces (hardware switch)? We tested it with wired interfaces and there is always the fortinet discalimer page instead of the website. Although the external website does not parse the parameters correct, there should be the website displayed, wouldn't it?

Thanks in advace.

Jeff_FTNT
Staff
Staff

Physical interface support External Capive portal too.

 

SumaN1
New Contributor

Hi,

Sorry for the late reply, 

we are getting redirection error when trying to browse internet.

Means fortinet is not redirecting to the external page.

 

I need to know what is the pre authentication role is required to redirect the traffic to external web server.

If my external web server is 192.168.29.170

and link is :  [link]https://192.168.29.170/guest/self_reg.php[/link]

Labels
Top Kudoed Authors