WiFi Networking : Setting up secure WiFi with a captive portal
  
Setting up secure WiFi with a captive portal
Problem
A FortiGate unit provides your office with wired networking, but employees also use laptops and mobile devices. These devices need secure WiFi access to both the office network and the Internet. The employees use web applications and are most comfortable authenticating through the web browser.
Solution
Watch the video: http://docs.fortinet.com/cb/wifi4.html
Set up a captive portal configuration that intercepts connections to the wireless network and displays a portal on wireless clients’ devices. User’s must authenticate with the portal to get access to the wireless network.
To configure the portal you must Create a user group with a user account for each employee. Create a WiFi network with captive portal authentication. A captive portal appears to be an open WiFi access point, allowing any WiFi device to connect. On the first attempt to connect to a web site, the captive portal presents a web page that requests the user’s logon credentials which must match credentials in the user group.
Create WiFi network user accounts
1 Go to User > User > User and select Create New to create a user account:
User Name
wloman
Password
my_secure_pwd
2 Create additional user accounts as needed, one for each employee.
 
If your employees already have user accounts on the FortiWiFi or FortiGate unit, you can skip this step and use the existing accounts.
3 Go to User > User Group > User Group and select Create New to create a user group:
Name
wifi_users
Type
Firewall
Members
Add wloman and the other employee accounts to the Members list.
4 Select OK.
Create the SSID and enable the WiFi radio
1 Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless network:
Interface Name
wifi
IP/Netmask
10.10.10.1/255.255.255.0
SSID
our_wifi
2 Enable DHCP with the following settings:
Address Range
10.10.10.10-10.10.10.210
Netmask
255.255.255.0
Default Gateway
Same as Interface IP
DNS Server
Same as System DNS
3 Configure the security settings as follows:
Security Mode
Captive Portal
User Groups
wifi_users
4 Select OK.
5 Go to WiFi Controller > Managed Access Points > Local WiFi Radio and select Enable WiFi Radio.
Create firewall and security policy settings
1 Go to Policy > Policy > Policy and select Create New to add a WiFi-to-Office network policy that allows WiFi users to access to the office network.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
port1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Source NAT is not required for this policy since the WiFi and internal networks are visible to each other.
2 Select Create New to add a WiFi-to-Internet policy that allows WiFi users to access the Internet.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
3 Select Enable NAT and Use Destination Interface Address.
4 Select OK.
Results
On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. Your device should connect quickly because no password is required at this stage.
Some mobile devices display the Fortinet Terms and Disclaimer Agreement portal as soon as you connect to the SSID. Some devices only display the portal when you open a web browser and attempt to connect to an Internet destination. Select the I accept... check box below the Agreement text to indicate that you agree. Enter wloman as Username and my_secure_pwd as Password, then select Continue. Your requested web site should then be displayed and you can otherwise use the WiFi network. You can continue browsing until your authentication times out. Then, you will have to accept the disclaimer and re-enter your logon credentials again.
 
 
 
 
You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that are connected to your WiFi network.
 
In User > Monitor > Firewall, you can see the authenticated captive portal user: