This article applies if you use any WiFi infrastructure connected as a layer 2 to your Fortigate w/o Fortinet Access Points. If you are routing your WiFi, you should use our WAN deployment on the Fortigate.

Configuration steps:

  1. Get Cloudi-Fi required URL and RADIUS secret

  2. Create Cloudi-Fi Radius Server

  3. Configure Captive Portals Settings
    3a. WiFi Deployment
    3b. Interface Deployment

  4. Configure Security Policy

Validated with FortiOS 6.2.5 build 1142

1) Get Cloudi-Fi required URL and RADIUS secret

Go to your Cloudi-Fi administration interface and get the URL for external authentication

Go to Locations Menu

Click on the menu button of the location and select "Copy Splash page URI"

  • Copy the URI

  • Transform the URI as shown in the following screenshot

Go to the chat interface and ask for your Radius secret

  • Copy the secret as well

2) Create the Cloudi-Fi Radius server

Go to your Fortigate administration interface.

Go to User & Device > RADIUS Servers > Create New :

  • Name : Cloudi-Fi_Radius_Srv

  • Authentication Method : Default

  • IP/Name : radius.cloudi-fi.net

  • Secret : Provided by Cloudi-Fi Support team

  • Save

Go to User & Device > User Groups > Create New :

  • Name : Cloudi-Fi_Radius_group

  • Type : Firewall

  • Remote Groups : Add Cloudi-Fi_Radius_Srv

  • Save

3) Configure Captive Portal settings

Note: The Captive Portal feature can be enabled in two different ways with Fortigate, depending on your infrastructure:

  • In the Fortigate WiFi controller if you have FortiAP (Fortigate WiFi Access Points)

  • In a Fortigate interface (physical or VLAN interface) if you have other WiFi vendor or if you want to enable captive portal for wired users.

3a) Enable Captive portal in Fortigate WiFi controller

If you have FortiAP and want to enable Cloudi-Fi in the Fortinet WiFi controller :

Go to WiFi & Switch Controller > SSID > Create New :

  • Provide a name, the mode (tunnel or bridge) and fill the network information

  • WiFi settings :

  • Security mode : Captive Portal

  • Portail type : External Authentication

  • URL : https://login.cloudi-fi.net/start/CompanyKey/Location-ID?spentityid=spforti.com

  • User Groups : Cloudi-Fi_Radius_Group

  • Redirect after Captive Portal : Specific URL : https://login.cloudi-fi.net/success.php

  • Save

3b) Enable Captive Portal in Fortigate interface

If you want to enable the captive portal for your wireless and/or wired users and you don't have FortiAP.

Note: Because the captive portal feature is enabled for all the traffic
of a specific interface, we recommend to have a dedicated interface
(physical or VLAN) for the Guest network.

Go to Networks > Interfaces > Edit the Guest interface

Then go to the Network Section of the interface and enable Security Mode :

4) Configure the Security Policy

To finalize the configuration, you have to create security rules to allow unauthenticated user to access the captive portal.

Go to Policy & Objects > IPv4 Policy and create below rules in the same order:

  • Rules for unauthenticated users :

Name

Source

Destination

Service

NAT

Action

DNS

Guest interface

DNS Servers

DNS

TBD

Accept

Walled

Garden

Guest interface

FQDN_

CloudiFi

HTTPS

Yes

Accept

Once these rules created, right click on each rule and select "Edit in CLI" and copy/paste this command in order to bypass the captive portal authentication for above rules.

set captive-portal-exempt enable
end

  • Rule for authenticated user :

Name

Source

Destination

Service

NAT

Action

Allow-Guest

Guest interface

Outside interface

ALL

Yes

Accept

Guest-Deny-All

(Optionnal*)

Guest interface

RFC1918:

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

ALL

No

Deny

*The explicit deny rule is optional if your Fortigate Implicit Rule is already configure to Deny all the traffic.

Did this answer your question?