Captive portal Tricks & Tweaks on Fortigate Firewall

You can configure your Fortigate Firewall with Captive Portal user based authentication for both wired and wireless user traffic. There are few places in fortigate firewall you could control the settings.

#Fortigate captive portal:

To disable HTTP access based captive portal redirection & Enable Secure HTTP

config user settings
Auth-secure-http : Enable
(Or) for HTTP only redirection

To avoid certificate pining problems or HSTS(HTTP Strict-Transport-Security) based browser warnings and when Websites being strict for man-in-the-middle for enabling captive portals.

config user settings
Auth-secure-http : disable
NOTE: Fortigate uses port 1000 for HTTP and port 1003 for HTTPS based redirection.
These settings can be custom changed to one you would like to.

config system global
set auth-https-port xxxx (default = 1003)
end
#To redirect with FQDN & not IP address:

To redirect captive portal with DNS based which helps to mask the IP address on the captive portal redirection process.
config firewall auth-portal
portal-addr : my.fqdn.com

# Since you decided to do the Captive portal over HTTPS and with FQDN, you will need to have Trusted secure certificate in fortigate for CP redirection and Authentication.

config user setting
set auth-cert <auth-cert>
set auth-ca-cert <auth-ca-cert>
Note:

auth-cert -> Actual cert
&
auth-ca-cert -> Root CA signed your captive portal Certificate.
# If you want to enable captive portal on the LAN interface for the user traffic.
edit “port12_lan”

set vdom “Praveen_NAT”

set ip 2.2.2.2 255.255.255.0

set allowaccess ping https ssh snmp http

set security-mode captive-portal

next
#Enable Captive Portal at firewall policy level

You may also enable captive portal parameter’s from the firewall policy level on fortigate. These items on firewall policy level will override the global parameters under “config user setting”
This will help to manage different portal redirection and certificates for multiple clients.
#config firewall policy
edit <my_policy_ID>
set auth-redirect-addr “my.fqdn.com”
next
end

#config firewall policy
edit <my_policy_ID>
set auth-cert <auth-cert>
next
end

#config firewall policy
edit <my_policy_ID>
set disclaimer enable
set redirect-url “https://www.google.com&#8221;
end
Note: If you set the USER GROUP for the “security-mode =captive portal” user will land on the login portal page asking for USERNAME/PASSWORD. And if you don’t set any
“allow all ” will be set and user will be provided with disclaimer page.

#Wireless interface/SSID (Tunnel mode) default have Email collection as a authorization service and to allow secure access.

config wireless-controller vap
edit Guest_Access
set security captive-portal
set portal-type email-collect
end

And if you want to enable Email collection on the Wired Interface you might have to customize the default landing page to perform so. In-order to do that you might need some experience in code editing on the default page , so it could automate the email collection seamlessly and to authenticate and authorize the user access.
#If you want to exempt Captive portal redirection for certain “users/devices” then you may exempt to create a firewall policy for them.

config firewall policy
edit <id>
set captive-portal-exempt enable
next
end
#Customizing Captive portal pages:

This section helps you customize the default fortinet provided templates to your company policy and banner/logo.

customize

#Replacement message groups

 

You have settings called “replacement Message Group” which allows to use customized replacement message for individual policy and profile.

 

If you want this feature visible on GUI:

config system settings

set gui-replacement-message-groups enable

end

 

To Edit from CLI:

config system replacemsg-group

edit <group>

set group-type {auth | utm}

config <message_category>

edit <message_type>

set buffer <message>

set header {none | http | 8bit}

set format {none | text | html}

next

end

next

end

 

To Apply at firewall policy level:

config firewall policy

edit

set replacemsg-override-group “name”

set inspection-mode proxy

 

#Force Disclaimer page on a firewall policy whose SRC INTERFACE already have another Firewall policy to ALLOW ALL traffic.

In above condition even though you have the disclaimer policy on top of the Allow all policy the traffic from the user for whom you have created the disclaimer page would still hit the Allow ALL policy only.

Reason: Disclaimer page is not like User authentication captive portal page.

Prompting for User authentication is automatic, When the traffic is matched against the policy table, if it falls all the way through AND there is some authentication policies, then it will prompt the authentication automatically.

**Disclaimer is a special type of user auth. It’s like a hidden group called “accepted disclaimer users”.

** Therefore, in your policies[For Example when policy 1 and policy 2 is Active], what’s happening is:
— first packet, it will NOT hit the first policy because the user has never accepted the disclaimer before(and thus never been authenticated under the ‘accepted disclaimer users’ group).
— the packet WILL match the 2nd policy because it matches the entire interface.

Firewall Policies for example:

edit 1

set srcintf “Guest”
set dstintf “Internet”
set srcaddr “test-guest-user”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set logtraffic all
set fsso disable
set groups “Group-Wifi”
set disclaimer enable
set auth-cert “wildcard cert”
set auth-redirect-addr “praveen.domain.com”
set nat enable
next

edit 2
set uuid 9a14bfdc-34c2-51e9-b6c4-af2e5582216d
set srcintf “Guest”
set dstintf “Internet”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set utm-status enable
set nat enable
next

> So what you have to do as a workaround on firewall policy 2 is:

edit 2
set uuid 9a14bfdc-34c2-51e9-b6c4-af2e5582216d
set srcintf “Guest”
set dstintf “Internet”
set srcaddr “test-guest”     —–>
set srcaddr-negate enable —->  This will force the “test-guest to go through policy 1
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set utm-status enable
set nat enable
next