Technical Tip: Captive Portal External Authentication in a Hairpining network

mauromarme · ‎10-05-2023

Description

This article describes instructions on setting up the FortiGate to direct internal users to an External Captive Portal, ensuring authentication before granting network access.

In this scenario, the Captive Portal Server is situated behind the FortiGate on a different subnet than the internal users and the Administrator has configured the Portal URL, which maps to the Public IP address of the FortiGate and hits a VIP to the Captive Portal Server, which means the traffic does a hairpinning.

Scope

FortiGate v7.2.x

Solution

Check the External Captive Portal URL configured on Security Mode -> Captive Portal on the interface where the Internal Users are connected.

In this example, FortiAuthenticator is used as an External Captive Portal Server.
Confirm the Authentication Portal URL Translates to the FortiGate WAN IP Address and there is VIP configured to map the traffic to the internal IP of the Captive Portal Server.

VIP Example:

edit VIP External Captive Portal
set uuid c4f71a50-aca6-51ed-dfc8-77a29ef28840
set extip <Public IP the External Captive Portal URL is translated to>
set mappedip <Internal Captive Portal Server IP>
set extintf <External Interface>
set portforward enable
set extport <Captive Portal Server Port>
set mappedport <Captive Portal Server Port>

Note: Double check there is not any other VIP matching the same External Port.

Create the policies to allow the hairpinning traffic for the internal users to the Captive Portal Server.
2 policies are necessary to allow that hairpinning traffic. One to permit the traffic from internal users subnet to WAN and another one to permit traffic from WAN to the Captive Portal Server.

Internal LAN to WAN:
Note: Remember that as a Captive Portal Authentication is used and it is not allowing all internet traffic. Otherwise, the Captive Portal would be bypassed. It is necessaryto permit traffic only to the public IP that the Captive Portal Redirect URL is translated to.

config firewall policy
edit <Policy ID>
set status enable
set name <Policy Name>
set uuid 98ce72c4-5cb0-51ee-b785-d94ef8cfdbe5
set srcintf <Select LAN Users Interface - The interface where Captive Portal is configured>
set dstintf <WAN Interface>
set action accept
set srcaddr <LAN Users Subnet>
set dstaddr <Public IP that the Captive Portal Redirect URL is translated to>
set schedule "always"
set service "ALL"
set nat enable
set comments <----- Allow access to the Captive Portal from local subnet.
next

WAN to Captive Portal Subnet:
Note: In this policy, the VIP that NATs FortiGate's Public IP to the Captive Portal Server Private IP will be used (DNAT).

config firewall policy
edit <Policy ID>
set name "<Policy Name>
set uuid 7a35cf3c-ab9a-51ed-3490-2972a402cfa3
set srcintf <WAN Interface>
set dstintf <Captive Portal Server Interface>
set action accept
set srcaddr <LAN Users Subnet>
set dstaddr "VIP External Captive Portal" <----- This is the VIP for the Captive Portal Server.
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set ips-sensor "default"
set comments "Allow access to the Captive Portal from local subnet"
next

Notice that as the hairpinning traffic never leaves the FortiGate, it is possible to use the LAN Internal Users subnet as the source on this policy.

Once the policies needed are created for the Hairpinning traffic, it is necessary to create the Policies for the Users authenticated on the Captive Portal Server. This provides more control and security to the network.
If there are any issues with submitting the information on the Captive Portal or with information not being properly displayed, check the Captive Portal Configuration. Remember that with this configuration, FortiGate only does the Redirection and Policy Enforcement.