Hot!External Captive portal with Forti OS 5.2

Page: 12 > Showing page 1 of 2
Author
SumaN@boystown
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/13 03:27:20
  • Status: offline
2015/03/17 04:35:18 (permalink) 5.2
0

External Captive portal with Forti OS 5.2

Hi Folks,
I am new in this forum and not sure if this is the correct board to post this.
I saw in FortiOS 5.2 release note, that its support external captive portal. Have any one implement this feature with good success.
Need some suggestion on this.
 
SumaN@boystown
#1

31 Replies Related Threads

    Jeff_FTNT
    Gold Member
    • Total Posts : 215
    • Scores: 17
    • Reward points: 0
    • Joined: 2005/06/14 16:27:00
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/17 10:18:18 (permalink)
    4 (1)
    You may set up your owns portal , here is a examples setting.
    -Set up "External Captive Portal" on interface Switch like below
    config system interface
    edit "switch"
    set vdom "vdom1"
    set ip 192.168.1.89 255.255.255.0
    set allowaccess ping https ssh snmp http telnet
    set type physical
    set security-mode captive-portal
    set security-external-web "http://172.18.4.218/portal/index.php"
    set security-groups "group_radius"
    next
    end
    config firewall policy
    edit 2
    set srcintf "switch"
    set dstintf "port9"
    set srcaddr "all"
    set dstaddr "web_ext_addr_switch"
    set action accept
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set captive-portal-exempt enable
    set nat enable
    next
    edit 4
    set srcintf "switch"
    set dstintf "port9"
    set srcaddr "all"
    set dstaddr "all"
    set action accept
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set nat enable
    next
    end
    #2
    SumaN@boystown
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/13 03:27:20
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/18 21:37:43 (permalink)
    0
    Thanks for your response.
    Some question pop up in my heads.
    Can i push user role from external authentication server?
    what is the least fortiOS version support external captive portal ?
     
    Thanks
    SumaN
    #3
    Jeff_FTNT
    Gold Member
    • Total Posts : 215
    • Scores: 17
    • Reward points: 0
    • Joined: 2005/06/14 16:27:00
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/19 09:03:45 (permalink)
    0
    <<<Can i push user role from external authentication server?
    Sorry, i did not understand this question.
    <<<what is the least fortiOS version support external captive portal ?
    v5.2.0 GA /build0589
    #4
    Marcel Sueess
    New Member
    • Total Posts : 9
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/29 11:30:01
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/25 07:50:14 (permalink)
    0
    Hi
    we are also trying to integrate an external captive-portal with a Fortigate 60D 5.2.3, but it doesn't work as expected. Are there any requirements for the external server? When i configure the external captive-portal-server as given in the answer above and try to reach the Internet, I always gets the Fortigate Disclaimer-Page an not the external portal. Is there a document with details or why does the Fortigate always brings the own captive page instead of redirecting us to the external portal?
     
    Thank you very much.
    Marcel Süess
    #5
    Jeff_FTNT
    Gold Member
    • Total Posts : 215
    • Scores: 17
    • Reward points: 0
    • Joined: 2005/06/14 16:27:00
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/25 08:58:26 (permalink)
    0
    Firstly make sure it have policy to permit reach to  external portal, it have "captive-portal-exempt enable" option on it.
    FGT will send below request to external portal: http://<external portal="">/?login&post=http://FGT_IP:1000/fgtauth&magic=02050f889bc21644&usermac=x:x:x:x:x:x&apmac=x:x:x:x:x:x&apip=x.x.x.x&userip=x.x.x.x
    The portal has to parse the above request to retrieve the FGTIP and magic id, and then compile a form for users to input login information. The form will redirect the user's browser to send below request to FGT: http://FGTIP:1000/fgtauth&magic=02050f889bc21644&username=<username>&password=<password>.
    Thanks.
    #6
    Marcel Sueess
    New Member
    • Total Posts : 9
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/29 11:30:01
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/25 12:01:13 (permalink)
    0
    Thank you very much for the answer. We will try this. Does the external captive-portal only work for wireless-lan via SSIDs or can it also be used for physical wired network interfaces (hardware switch)? We tested it with wired interfaces and there is always the fortinet discalimer page instead of the website. Although the external website does not parse the parameters correct, there should be the website displayed, wouldn't it?
    Thanks in advace.
    #7
    Jeff_FTNT
    Gold Member
    • Total Posts : 215
    • Scores: 17
    • Reward points: 0
    • Joined: 2005/06/14 16:27:00
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/25 12:09:14 (permalink)
    0
    Physical interface support External Capive portal too.
     
    #8
    SumaN@boystown
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/13 03:27:20
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/27 01:28:25 (permalink)
    0
    Hi,
    Sorry for the late reply, 
    we are getting redirection error when trying to browse internet.
    Means fortinet is not redirecting to the external page.
     
    I need to know what is the pre authentication role is required to redirect the traffic to external web server.
    If my external web server is 192.168.29.170
    and link is :  https://192.168.29.170/guest/self_reg.php
    post edited by SumaN@boystown - 2015/03/27 04:14:08
    #9
    Marcel Sueess
    New Member
    • Total Posts : 9
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/29 11:30:01
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/27 05:15:25 (permalink)
    0
    Hi
     
    we have also the problem, that the redirection to the external page isn't working. We always get the internal disclaimer page with a Fortigate VM and a Fortigate 60D with physical interface for captive portal. Is there possibly a bug in 5.2.3 with not redirecting?
     
    Thank you so much.
    Marcel Süess
    #10
    SumaN@boystown
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/13 03:27:20
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/27 08:27:26 (permalink)
    0
    Today I tried hard to get the things working, but ended up with total disappointment.
     
    The workflow is like below:
    Guest is connecting to the captive SSID [Guest]
    getting IP,
    trying to browse,
    fortinet is hijacking the req and presenting a declaimer page.
    guest accept the declaimer.
    now the times of external portal redirection, so guest browser is provided a predefined url [https:192.168.29.172/guest/self_reg.php   in my case after that fortinet is adding some other information with the url] and its trying to go there but here the whole process has stopped. Its not getting to redirect to there.
    I'm suspecting that some pre authentication role is required to make it success, however not able to find out any good document from fortinet.
     
    would like if someone from fortinet take a look on this.
     
    post edited by SumaN@boystown - 2015/03/27 08:35:07
    #11
    Jeff_FTNT
    Gold Member
    • Total Posts : 215
    • Scores: 17
    • Reward points: 0
    • Joined: 2005/06/14 16:27:00
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/27 09:12:48 (permalink)
    4 (1)
    If the "external Captive portal " is not in same interface with your PC, make sure to add a policy to permit the PC can reach the "External Captive portal". like :
     
    config firewall policy
        edit 3
            set srcintf "switch"
            set dstintf "port9"
            set srcaddr "all"
            set dstaddr "extportal"  ----- external portal ip
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set captive-portal-exempt enable --- need input from CLI, GUI is not support it.
            set nat enable
        next
    end


    Thanks.
    #12
    Marcel Sueess
    New Member
    • Total Posts : 9
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/29 11:30:01
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/29 09:55:19 (permalink)
    0
    Hi all
    I get it to work with my own php script! Thank you very much for the help. I don't know, why it doesn't get me redirected to the portal site. Now I get also redirected to every external captive portal I want..
    My question now is: The username and password which get sent back via the post method are in plain-text. Is there any possibility to secure these informations?
    Greets
    Marcel
    #13
    Jeff_FTNT
    Gold Member
    • Total Posts : 215
    • Scores: 17
    • Reward points: 0
    • Joined: 2005/06/14 16:27:00
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/03/30 08:30:38 (permalink)
    0
    Try HTTPS, thanks.
    #14
    SumaN@boystown
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/13 03:27:20
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/04/03 00:13:38 (permalink)
    0
    Does Fortinet support RFC 3576 and Radius COA protocol
    #15
    Jeff_FTNT
    Gold Member
    • Total Posts : 215
    • Scores: 17
    • Reward points: 0
    • Joined: 2005/06/14 16:27:00
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/04/06 08:40:40 (permalink)
    5 (1)
    As i know, not support it, thanks.
    SumaN@boystown
    Does Fortinet support RFC 3576 and Radius COA protocol




    #16
    SumaN@boystown
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/13 03:27:20
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/04/08 03:36:09 (permalink)
    0
    OK,
    My external Captive portal server and and authentication server both are external and hosted by same server. lets say SERVER-1.
    So for this scenario guest will get redirect to external page [hosted in SERVER-1] and after that guest will fill up credential field to get access, which will be check against the external server SERVER-1.
     
    So in this case how guest auth req will go to SERVER-1 and what will the protocol for that?
    How fortinet will comes to know that the guest has completed authentication?
     
     
    #17
    Nihas
    Gold Member
    • Total Posts : 182
    • Scores: 3
    • Reward points: 0
    • Joined: 2014/07/17 04:07:02
    • Location: God's Own Country
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/04/08 05:53:36 (permalink)
    4 (1)
    https://forum.fortinet.com/tm.aspx?m=112063
     
    I too asked the exactly same question before .
    How  Fortigate knows whether the authentication has been successfully validated? 
     
    I have done the testing the with one of our user portal ( It uses local MS-SQL Database).
    The first part was perfect. When I open a new  browser page I got the external server page for the authentication.
    But , even without entering the correct credentials I got the access to surf the internet. Ie, Fortigate doesn't know whether the external portal has successfully validated the credentials or not..!!
     
    It would be great solution if we can successfully integrate the external captive portal.
    I can enforce end user to Login to their "Company Portal" to get authenticated to connect the network..!
     
    Thanks
    Nihas
    #18
    SumaN@boystown
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/13 03:27:20
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/04/09 04:11:28 (permalink)
    0
    Waiting  for someone from Foritnet to reply  :-)
    #19
    Marcel Sueess
    New Member
    • Total Posts : 9
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/29 11:30:01
    • Status: offline
    Re: External Captive portal with Forti OS 5.2 2015/04/09 11:42:59 (permalink)
    4 (1)
    Jeff_FTNT
    The form will redirect the user's browser to send below request to FGT: http://FGTIP:1000/fgtauth&magic=02050f889bc21644&username=<username>&password=<password>.



    The question for secure sending back username and password Jeff told to try https. But for that, in the URL, the post-parameter shout be also https. Otherwise my Username and password is sent back tu Fortigate in cleartext although my external captive portal-server is using https, doesn't it?
     
    Thanks for make this clear.
    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2018 APG vNext Commercial Version 5.5