Setting up secure WiFi with a captive portal
A FortiGate unit provides your office with wired networking, but employees also use laptops and mobile devices. These devices need secure WiFi access to both the office network and the Internet. The employees use web applications and are most comfortable authenticating through the web browser.
Set up a captive portal configuration that intercepts connections to the wireless network and displays a portal on wireless clients’ devices. User’s must authenticate with the portal to get access to the wireless network.
To configure the portal you must Create a user group with a user account for each employee. Create a WiFi network with captive portal authentication. A captive portal appears to be an open WiFi access point, allowing any WiFi device to connect. On the first attempt to connect to a web site, the captive portal presents a web page that requests the user’s logon credentials which must match credentials in the user group.
Create WiFi network user accounts
1 Go to User > User > User and select Create New to create a user account:
2 Create additional user accounts as needed, one for each employee.
If your employees already have user accounts on the FortiWiFi or FortiGate unit, you can skip this step and use the existing accounts.
3 Go to User > User Group > User Group and select Create New to create a user group:
Add wloman and the other employee accounts to the Members list.
4 Select OK.
Create the SSID and enable the WiFi radio
1 Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless network:
2 Enable DHCP with the following settings:
Same as Interface IP
Same as System DNS
3 Configure the security settings as follows:
4 Select OK.
5 Go to WiFi Controller > Managed Access Points > Local WiFi Radio and select Enable WiFi Radio.
Create firewall and security policy settings
1 Go to Policy > Policy > Policy and select Create New to add a WiFi-to-Office network policy that allows WiFi users to access to the office network.
Source NAT is not required for this policy since the WiFi and internal networks are visible to each other.
2 Select Create New to add a WiFi-to-Internet policy that allows WiFi users to access the Internet.
3 Select Enable NAT and Use Destination Interface Address.
4 Select OK.
On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. Your device should connect quickly because no password is required at this stage.
Some mobile devices display the Fortinet Terms and Disclaimer Agreement portal as soon as you connect to the SSID. Some devices only display the portal when you open a web browser and attempt to connect to an Internet destination. Select the I accept...
check box below the Agreement text to indicate that you agree. Enter wloman
, then select Continue
. Your requested web site should then be displayed and you can otherwise use the WiFi network. You can continue browsing until your authentication times out. Then, you will have to accept the disclaimer and re-enter your logon credentials again.
You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that are connected to your WiFi network.
In User > Monitor > Firewall
, you can see the authenticated captive portal user: