Fortigate integration - Enable Cloudi-Fi captive portal in FortiOS

This article applies if you use any WiFi infrastructure connected as a layer 2 to your Fortigate w/o Fortinet Access Points. If you are routing your WiFi, you should use our WAN deployment on the Fortigate.

Configuration steps:

1. Get Cloudi-Fi required URL and RADIUS secret

2. Create Cloudi-Fi Radius Server

3. Configure Captive Portals Settings
   3a. WiFi Deployment
   3b. Interface Deployment

4. Configure Security Policy

Validated with FortiOS 6.2.5 build 1142

1) Get Cloudi-Fi required URL and RADIUS secret

Go to your Cloudi-Fi administration interface and get the URL for external authentication

Go to Locations Menu

Click on the menu button of the location and select "Copy Splash page URI"

• Copy the URI

• Transform the URI as shown in the following screenshot

Go to the chat interface and ask for your Radius secret

• Copy the secret as well

2) Create the Cloudi-Fi Radius server

Go to your Fortigate administration interface.

Go to User & Device > RADIUS Servers > Create New :

• Name : Cloudi-Fi_Radius_Srv

• Authentication Method : Default

• IP/Name : radius.cloudi-fi.net

• Secret : Provided by Cloudi-Fi Support team

• Save

Go to User & Device > User Groups > Create New :

• Name : Cloudi-Fi_Radius_group

• Type : Firewall

• Remote Groups : Add Cloudi-Fi_Radius_Srv

• Save

3) Configure Captive Portal settings

Note: The Captive Portal feature can be enabled in two different ways with Fortigate, depending on your infrastructure:

• In the Fortigate WiFi controller if you have FortiAP (Fortigate WiFi Access Points)

• In a Fortigate interface (physical or VLAN interface) if you have other WiFi vendor or if you want to enable captive portal for wired users.

3a) Enable Captive portal in Fortigate WiFi controller

If you have FortiAP and want to enable Cloudi-Fi in the Fortinet WiFi controller :

Go to WiFi & Switch Controller > SSID > Create New :

• Provide a name, the mode (tunnel or bridge) and fill the network information

• WiFi settings :

• Security mode : Captive Portal

• Portail type : External Authentication

• URL : https://login.cloudi-fi.net/start/CompanyKey/Location-ID?spentityid=spforti.com

• User Groups : Cloudi-Fi_Radius_Group

• Redirect after Captive Portal : Specific URL : https://login.cloudi-fi.net/success.php

• Save

3b) Enable Captive Portal in Fortigate interface

If you want to enable the captive portal for your wireless and/or wired users and you don't have FortiAP.

Note: Because the captive portal feature is enabled for all the traffic
of a specific interface, we recommend to have a dedicated interface
(physical or VLAN) for the Guest network.

Go to Networks > Interfaces > Edit the Guest interface

Then go to the Network Section of the interface and enable Security Mode :

• Security Mode : Captive Portal

• Authentication Portal : Eternal

• URL : https://login.cloudi-fi.net/start/CompanyKey/Location-ID?spentityid=spforti.com

• User Access : Restricted to Groups : Cloudi-Fi_Radius_group

• Exempt destinations : Create a FQDN Object for *.cloudi-fi.net

• Redirect after captive portal : https://login.cloudi-fi.net/success.php

• Save

4) Configure the Security Policy

To finalize the configuration, you have to create security rules to allow unauthenticated user to access the captive portal.

Go to Policy & Objects > IPv4 Policy and create below rules in the same order:

• Rules for unauthenticated users :

Once these rules created, right click on each rule and select "Edit in CLI" and copy/paste this command in order to bypass the captive portal authentication for above rules.

set captive-portal-exempt enable
end

• Rule for authenticated user :

*The explicit deny rule is optional if your Fortigate Implicit Rule is already configure to Deny all the traffic.