This page explains the Captive Portal configuration for Fortigate hardware and authentication via IronWiFi.

IronWiFi Console Configuration

1. Log into the IronWiFi console or register for free
2. Create a new network
3. After that, create a new captive portal, with vendor FortiGate

Access Point Configuration

Please log in to your FortiGate web interface and click User & Authentication > RADIUS Servers on the left menu. Click + Create New and configure with:

• Name - guestradius
• Primary Server - get this value from the IronWiFi console
• Primary Shared Secret - get this value from the IronWiFi console
• Secondary Server - get this value from the IronWiFi console
• Secondary Shared Secret - get this value from the IronWiFi console
• Authentication Method - Specify
• Method - PAP

Click OK to Save.

Click on guestradius server and click Edit

In the Additional Information section on the right, click on >_ Edit in CLI and issue the following commands:

set radius port <your auth port>

set acct-interim-interval 600

config accounting-server

edit 1

set status enable

set server "<your primary server IP>"

set secret <your secret>

set port <your accnt port>

end

config accounting-server

edit 2

set status enable

set server "<your secondary server IP>"

set secret <your secret>

set port <your accnt port>

end

end

end

Your config should look similiar to the above.

Close the CLI window and navigate away from the edit page - do NOT press OK as it will overwrite the settings that you have just changed in the CLI.

Next, click on User Groups and Create New. Configure with:

• Name - guestgroup
• Type - Firewall

Under Remote groups click Create New and under Remote Server choose guestradius. Click OK to Save.

Next, click Policy & Objects > Addresses. Click Create New > Address. Configure with:

• Category - Address
• Name - guestonline
• Type - IP/Netmask
• Subnet / IP Range - 10.1.0.0/255.255.255.0
• Interface - any
• Show in Address List - Enabled

Click OK to Save. Next, click Create New > Address again and configure with:

• Category - Address
• Name - Your splash page's hostname
• Type - FQDN
• FQDN - Your splash page's hostname

Click OK to Save.

Next, under Addresses click Create New > Address Group. Configure with:

• Category - IPv4 Group
• Group Name - guestwhitelist
• Members - click the + button and select all the domains you added earlier.

Click OK to Save.

Next, click WiFi & Switch Controller > SSID on the left. Click Create New > SSID. Configure with:

• Interface Name - guestwifi
• Type - WiFi SSID
• Traffic Mode - Bridge
• Address - 10.1.0.1/255.255.255.0
• DHCP Server - Enabled
• DNS Server - Same as Interface IP
• SSID - Guest WiFi (or whatever you wish)
• Security Mode - Captive Portal
• Portal Type - Authentication
• Authentication Portal - External: get this URL from the IronWiFi console
• User Groups - guestgroup
• Exempt Destinations / Services - guestwhitelist
• Broadcast SSID - Enabled
• Block Intra-SSID Traffic - Enabled
• Redirect after Captive Portal - Specific URL: get this success URL from the IronWiFi console

Click OK to Save.

Click on Network > Interfaces, select interface you want to use for captive portal, click Edit

Configure with:

• Addresing Mode - Manual
• IP / Netmask - 10.1.0.1/255.255.255.0
• DHCP Server - Enabled
• DNS Server - Same as Interface IP
• Security Mode - Captive Portal
• Portal Type - Authentication
• Authentication Portal - External: get this URL from the IronWiFi console
• User Groups - guestgroup
• Exempt Destinations / Services - guestwhitelist
• Redirect after Captive Portal - Specific URL: get this success URL from the IronWiFi console
  
  

Next, under IPv4 Policy click Create New. Configure with:

• Name - guestwifi
• Incoming Interface - Guest WiFi (guestwifi) OR the interface you have selected for the captive portal if you are using 3rd party AP
• Outgoing Interface - wan1 (your WAN connection)
• Source - all
• Destination Address - guestwhitelist
• Schedule - always
• Service - ALL
• Action - ACCEPT
• Enable this policy - Enabled

Click OK to Save. Click Create New again and configure with:

• Name - guestwifionline
• Incoming Interface - Guest WiFi (guestwifi) OR the interface you have selected for the captive portal if you are using 3rd party AP
• Outgoing Interface - wan1 (your WAN connection)
• Source - guestonline
• Destination Address - all
• Schedule - always
• Service - ALL
• Action - ACCEPT
• Enable this policy - Enabled

Click OK to Save.

Go to Network > DNS Servers (if you don't see that option, you need to enable it in System > Feature Visibility)

In DNS Service on Interface section click on Create New

Select interface your captive portal is on, select Mode - Recursive,click OK to save.

In DNS Database section click on Create New and configure with:

• Type - Primary
• View - Shadow
• DNS Zone - local
• Domain Name - <your domain name> - you must have administrative access to that domain as you will have to obtain valid SSL certificate for it
• Hostname of Primary DNS - <your hostname> - together with your domain name  it will form the FQDN that you will use for the redirection
• Authoritative - disabled
  
  

Below in the DNS Entries section, click on Create New and configure with:

• Type - Address (A)
• Hostname - the same Hostname you have configured above
• IP Address - <IP Address of your Captive Portal Interface>
• Status - enabled
  
  

Click OK to save.

Go to System > Certificates and Import a valid SSL certificate that matches your FQDN or Create one using built-in ACME Let's Encrypt.

To finish, we need to enable secure redirections using the valid SSL certificate, enable HTTPS redirections and add FQDN we are using as the redirection URL.

Open CLI and issue the following commands:

config user setting

set auth-cert "<name of your valid SSL cert>"

set auth-secure-http enable

end 

config firewall auth-portal

set portal-addr "<your FQDN>"

end

The configuration is now complete.