Sunday, January 2, 2022

FortiGate Captive Portal

A Captive Portal is a convenient way to authenticate web users either on wired or WiFi networks using an HTML (web) form that requires a username and password (active authentication).

 

You must first create a user group and then add a user to the group. To create a new user, go to User & Authentication > Create New.

 

Notice there's a guest user created by default.

Select Local User > Next.

Type Username: cp-user > type Password: fortinet > click Next.

Leave the Two-factor Authentication disabled > click Next.

Leave the User Account Status Enabled > leave the User Group disabled.

 

We can't create a new User Group from here since the cp-user hasn't been created and therefore not selectable yet.

 


To create a new User Group, go to User & Authentication > User Groups > Create new.

 

Notice there's Guest-group and SSO_Guest_Users created by default.

 

Type a Name: CP-GROUP-1 > select Type: Firewall > click add (+) in Members > select cp-user > click Close > OK.


To enable Captive Portal, go to Network > Interfaces > select port2 > click Edit (or just double-click). This would be the port for the incoming wired traffic.


Scroll down > enable Security Mode: Captive Portal > select Authentication portal: Local > select User access: Restricted to Groups > select User groups > CP-GROUP-1 > click Close > OK.


Enable the Captive Portal Disclaimer Message via CLI (for wired users).

FG-1 # config firewall policy

 

FG-1 (policy) # edit 1

 

FG-1 (1) # set disclaimer

enable     Enable user authentication disclaimer.

disable    Disable user authentication disclaimer.

 

FG-1 (1) # set disclaimer enable

 

FG-1 (1) # end

 

 

I tested the Captive Portal by accessing the website training.fortinet.com from 172.16.1.100 (Windows 7 VM).

 

You'll be redirected to FortiGate Authentication web page. Type the username: cp-user > type password: fortinet > click Continue.

Once login, a Firewall Disclaimer is presented. Click Yes, I agree to continue.


To view the Firewall User/Captive Portal logs, go to Log & Report > Events > User Events.

Notice the User Events for cp-user.

Select a specific log > click Details.



You can also view and Deauthenticate Firewall user under Dashboard > Users & Devices > click Firewall Users > Expand to full screen.

Select a specific User Name: cp-user > click Deauthenticate.

Click OK to continue.

Notice cp-user was cleared.

I refreshed the web browser in 172.16.1.100 (Windows 7 VM) but it required me to login again to the FortiGate Captive Portal.