FortiGate

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Fortigate equipment for integration with Octopus Platform

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Server

The next step is to configure the parameters of the Radius Server to which user authentication requests will be sent. It is recommended to do this through CLI, as part of the configuration is not supported by the graphical interface:

config user radius edit Radius_Guest set server "<IP_Radius_1>" set secret <Secret> set acct-interim-interval 600 set auth-type pap set secondary-server "<IP_Radius_2>" set secondary-secret <Secret> config accounting-server edit 1 set status enable set server "<IP_Radius_1>" set secret <Secret> next edit 2 set status enable set server "<IP_Radius_2>" set secret <Secret> next end next end

Then create a user group that uses that server. To do this, go to User & Device > User Groups and add a new group with the following configuration:

config user group edit "Radius_Group" set member "Radius_Guest" next end

2.2 Captive Portal

The next step is to add the VLAN that will be linked to the external captive portal. Go to the section Network > Interfaces and click on Create New Interface to add a new vlan with the following configuration:

  • Interface Name: type the interface name

  • Type: VLAN

  • Interface: select the interface asociated to the VLAN

  • Address: set up the IP address configuration depending on the client's network parameters.

  • Administrative Access: RADIUS Accounting

  • DHCP Sever: set up the DHCP server configuration depending on the client's network parameters.

  • Admission Control

    • Security mode: Captive Portal

    • Authentication Portal: External

      • Opción http: http://<captive_portal_domain>/login/hotspot/fortigate

      • Opción https: https://<captive_portal_domain>/login/hotspot/fortigate

    • User Access: Restricted Groups

    • User Groups: Select the group containing the Radius Server

Example of configuration by CLI:

config system interface edit "vlan710" set vdom "root" set ip 10.10.0.1 255.255.252.0 set allowaccess ping radius-acct set alias "vlan_Guest710" set security-mode captive-portal set security-mac-auth-bypass enable set security-external-web "https://"<dominio_captive_portal>"/login/hotspot/fortigate" set security-groups "Radius_group" set role lan set snmp-index 14 set interface "bridgeEth" set vlanid 710 next end

 After configuring all the indicated parameters click OK to save the configuration.

2.3 Walled Garden

The next step is to configure the domains that the users will be able to visit without being authenticated in the captive portal. To add each domain name to the walled garden, go to the section Policy & Objects > Addresses and add a new address with the following configuration:

  • Name: Identifying name

  • Type: FQDN

  • FQDN: *domain*

  • Interface: any

As a minimum they should be added:

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

Example CLI

Then it is necessary to create an Address Group that includes all of the above domains. To do this, click Create New Address Group and configure the following parameters:

  • Name:Identifying name

  • Members: Include all previously added domains.

2.4 Policy

Once all the addresses have been added, it is necessary to associate each one of them to a policy. To do this, go to Policy & Objects > IPv4 Policy and add a series of policies.

walled garden policy

  • Name: walledgardenpolicy_guest

  • Incoming Interface: interface created for previous guests.

  • Outgoing Interface: WAN Interface

  • Source: all

  • Destination: indicate the previously added Address Group.

  • Service: ALL

  • Action: Accept

The Walled Garden must be bypass so that it is not affected by the configured external captive portal. To do this, access the equipment through the console and execute the following code changing the policy_id for the corresponding one.

DNS Policy

It is also necessary to add a policy allowing access to DNS servers. To do this, add a new policy with the following configuration:

  • Name: dns_guest

  • Incoming Interface: previously created interface.

  • Outgoing Interface: WAN Interface

  • Source: all

  • Destination: all

  • Service: DNS

  • Action: Accept

Internet Access Policy

To finalize this configuration, an Internet access policy must be created for users authenticated with the following configuration:

  • Name: auth_guest

  • Incoming Interface: interface created in the past

  • Outgoing Interface: WAN Interface

  • Source:

    • all

    • add the previously created Radius group

  • Destination: all

  • Service: ALL

  • Action: Accept

All policies in CLI are summarized below:

2.5 NAS Identifier

In order for the Radius Server to authorize and identify authentication requests coming from the FortiGate device, it is necessary to modify the name of the device so that it sends the MAC Address of the device. To do this, execute the following commands modifying the MAC address to the corresponding one.

2.6 HTTP or HTTPS login process configuration

There are two configuration options for the validation of the captive portal: One through http connectivity, where the traffic would not be encrypted, and the other through https.

HTTP option

Leaving default values, we can use this configuration.

Normally, the following configuration parameters have nothing configured. Using the command "show" we can verify it:

HTTPS option

The first thing to do is to load a new certificate associated with the subdomain in order to log in. To do so, follow the steps below:

Upload certificate

  • The first thing to do is to create the certificate in ".pfx" format. We can create it with openssl.

  • To upload it, go to the System > Certificates > Import > Local Certificate graphical interface:

    • Type: PKCS #12 Certificate

    • Certificate with key file: certificate.pfx

    • Password: leave blank

    • Certificate Name: <certificate_name>

Configuration changes

 

Add static DNS entry

If a DHCP server different from the Fortinet device is used, create a DNS entry that resolves "<certificate_name> = interface IP Fortinet portal configuration". Otherwise follow the steps below:

  • Networks > DNS Servers > DNS Database > Create New

    • Type: Master

    • View: Shadow

    • DNS Zone: <certificate_name>

    • Domain Name: <certificate_name>

    • Authoritative: disable

  • Inside Database created DNS Entries > Create New

    • Type: Address (A)

    • Hostname: securelogin

    • IP Address: include the IP address of the FortiWiFi device in the WIFI interface where the captive portal will be activated. (This IP address can be consulted at Network > Interfaces)

  • Verify that the DNS servers delivered to the client is that of the Fortinet. To do this access to Network > Interfaces > WiFi Interface Guests configured > DHCP Server > DNS Server, and configure "Same as IP interface".

2.7 Authorized MAC Addresses

In order to allow the users to authenticate themselves in the captive portal correctly, it is necessary to identify the NAS that will send the authentication requests to the Radius Server. In this case it is necessary to add to the WIFI platform the MAC address previously configured as hostname and alias.

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1 Captive portal + MAC Authentication configuration

To enable MAC authentication it is necessary to edit the vlan associated to the captive portal. To do this it is necessary to access the equipment via SSH or console and execute the following commands indicating the name of the corresponding vlan:

-Validation via MAC address of the devices or MAC Authentication can only be activated if the FortiGate equipment has FortiOS version 6.0.0 or higher.

3.2 MAC Authentication configuration

To create a dedicated SSID for MAC Authentication validation only, create a firewall policy to allow RADIUS authentication related traffic from the Fortilink interface to the outbound interface on the FortiGate.

Next, design a RADIUS server and create a user group:

Then in the device configuration interface perform the following configuration:

  • Go to User & Device > RADIUS Servers and edit or create a new one, add a name and configure the ip/.

  • Name “IP_Radius_1” y el secret <secret>

Now go to User & Device > User Groups and create a new group to which the previously created radius server will be added:

A Security Policy must be created using the CLI:

Then in the device interface go to WiFi & Switch Controller > FortiSwitch Security Policy, use the default 802-1X-policy-default or create a new securit policy:

  • Configure the RADIUS server group created earlier.

  • Security mode: MAC-based

  • Click ok

To apply the Security Policy to the device ports perform the following configuration:

3.3 Configuration of Access Profiles

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the FortiGate. Although the most common and proprietary FortiGate radius dictionaries are available, the following is a list of some of the most interesting ones:

Attribute

Description

Format

Attribute

Description

Format

Idle-Timeout

Maximum inactivity time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Acct-Interim-Interval

Defines the time interval at which the NAS sends the accounting packet update with all the user's session information.

Seconds (Minimun 600 seconds)

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above:

 

For more information on how to create an Access Profile in Octopus Platform go to Access profiles