Configuring Captive Portal using Radius server.
KB ARTICLE TYPE: Configuration
RELATED PRODUCTS: Controller
RELATED SOFTWARE VERSIONS: This articles applies to SD version 6.0 and below.
KEYWORDS: Controller, captive portal
Captive Portal allows guest users to access the network under certain conditions. In addition, you can customize the welcome (splash) page. The authentication can be performed with the RADIUS server or by setting up Guest User IDs for security.
CONFIGURATION STEPS:
From the GUI:
STEP
1: Go
to the configuration tab in the web GUI > security>
radius > configure the radius profile matching the credentials
configured in the Radius server.
STEP 2: Under the
Configuration tab > captive portal > configure the Captive
portal by mapping the radius profile.
STEP 3: Then
under Configuration tab > Click on Security > create
security profile with “L2 allowed mode” as required
and set the captive portal option to WebAuth
STEP 4:
Then map this security profile to an ESS profile that you have created
or to a new ESS.
From
CLI:
Configuring the Radius
profile:
MeruController1# configure
terminal
MeruController1(config)#
MeruController1(config)#
radius-profile <profile
name>
MeruController1(config-radius)#
ip-address <ip
address>
MeruController1(config-radius)#
key <shared secret
key>
MeruController1(config-radius)#
port 1812
MeruController1(config-radius)#
mac-delimiter <colon/ hyphen/ none/ single
hyphen>
MeruController1(config-radius)#
password-type < mac-address/ shared-secret
>
MeruController1(config-radius)#exit
Configuring the Captive
portal:
MeruController1(config)#
ssl-server port
10101
MeruController1(config)# ssl-server
radius-profile primary
<profile-name>
MeruController1(config)#
ssl-server radius-profile secondary
<profile-name> (if
any)
MeruController1(config)# ssl-server
accounting-radius-profile primary <profile-name> (if
any)
MeruController1(config)# ssl-server
accounting-radius-profile secondary <profile-name> (if
any)
MeruController1(config)# ssl-server
accounting-radius-profile interim-interval <interim-interval-
600-36000 seconds>
MeruController1(config)#
ssl-server captive-portal session-timeout
<session-timeout-0 and 1440 minutes>
MeruController1(config)# ssl-server
captive-portal activity-timeout <activity-timeout- period between
0 and 60 minutes>
MeruController1(config)#
ssl-server captive-portal override-radius
disable
MeruController1(config)#
Configuring the Security and ESS profile:
MeruController1# configure
terminal
MeruController1(config)#
security-profile <security profile
name>
MeruController1(config-security)#
allowed-l2-modes
clear
MeruController1(config-security)#
captive-portal
webauth
MeruController1(config-security)#
exit
MeruController1(config)# essid
<essid
name>
MeruController1(config-essid)#
security-profile <security profile
name>
MeruController1(config-essid)#
exit
MeruController1(config)#
EXPECTED BEHAVIOR:
Once when the user is authenticated into the wireless network and types in a URL in the address bar, it will be redirected to the captive portal web authentication page, sent by the controller. Valid user/password (of radius users) needs to be entered for the successful authentication and then they will be directed to the webpage requested.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.