Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mdeparisse_FTNT
Staff
Staff

Created on ‎11-10-2016 08:45 AM Edited on ‎12-17-2021 07:08 AM By Anonymous

Article Id 195021

Technical Tip: How to configure Clearpass as external captive portal

Purpose
Customer may wants to use Clearpass (Amigopod) as external captive portal

In that particular scenario, specific config parameter will need to be entered in the fortigate (SSID or network Interfaces) as well as on the Aruba/HP Clearpass server side.


Scope

Login/splash page hosted on an External Web Server

 

 

       Use to collect username and password

 

 

       Submit the user credentials directly to FGT via a post method

 

 

       When FGT receives the client credentials, FGT starts the Auth. phase

 

 

       When FGT receives the client authorized, the client will be able to access the network using the given options

 


Expectations, Requirements
How to integrate ClearPass as External Web portal with Fortigate
Configuration

 
The External redirection will be configured as shown bellow using CLI
 
 
ssid cli config.png

The Authentication portal page will need to be defined as bellow using the GUI:


 
 
 
ssid.png
 
 
 
 
A specific Filter needs to be created to allow the user to forward traffic to the external web portal within the policy
 
 
portal-exempt.png
 
 
Here are the Exchanges phases happening between the client, the fortigate and the ClearPass server:
 
layer3exch.png
If needed, some allowed URL's may be available using the bellow command within the policy:
 
allowed URL.png
 
 
 
 
On the ClearPass server side, some specific extra Field will be needed for proper implementation:
 

ClearPass Captive Portal configuration:

 

 

·         On the ClearPass side, create a self-registration page and use the * Vendor Settings: Custom Settings.

 

 

·         The link given below will explain you the configure Submit URL on captive portal:

 

 

http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/

 

 

The web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a POST message of the format https://<FGT_IP>:1000/fgtauth with data magic=session_id&username=<username>&password=<password>. (The magic value was provided in the initial FortiGate request to the web server.)

 

 

Configuration given in the screen shot bellow is required on captive portal to make it work with Fortinet:

 

 

 

 

guestselfregistration page.png

 

·         FortiGate a POST message of the format https://<FGT_IP>:1000/fgtauth

 

 

·         For HTTP Fortinet defined port number is 1000 and for HTTPS, it’s 1003.

 

 

      Logout http://192.168.234.193:1000/logout? Or https://fgt:1003


Put magic={$extra_fields.magic} in the Extra fields instead of appending to the submit URL.

 

 

To authenticate the user in clearpass, it expect a magic id (The magic value was provided in the initial FortiGate request to the web server) which is equal to the session id in the URL.

 

 

 

 

 

 


Troubleshooting

Fort troubleshooting, the debugging  of the Fortinet non-blocking authentication daemon can be used
 

diag debug reset
diag debug disable
diag debug application fnbamd -1

diag debug enable

 

17529
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.