Search This Blog

Thursday, May 21, 2015

Fortigate Captive Portal with exempt

Configure Fortigate captive portal:

Go to User & Device -> User Definition

Click Create New

Configure user account

Go to User & Device -> User Groups

Click Create New

Configure captive-portal group (for example CP_GROUP)

Go to System -> Network -> Interfaces

Create new interface (according to your topology)

Fill in the required information (addressing mode, IP address, DHCP etc.)

Select Captive Portal under Security Mode

Select the User Groups (CP_GROUP)

Click OK

Now go to Policy & Objects -> Policy -> IPv4 

Click Create New

Create the firewall policy according to your needs

Click OK

Now you have a network with captive portal authentication.

Now let’s say we want all iphones to be free from using captive portal, in order to use this network, for that we will have to use the CLI to add exempt command:

FWG # config firewall policy
FWG (policy) # edit 12
FWG (12) # set captive-portal-exempt enable
FWG (12) # end

The policy ID is equal to the IPv4 policy that we made for this network.

Now return to the web GUI and go to System -> Network -> Interfaces -> LAB (my CP network) and click edit

Click the ‘+’ sign near to the Exempt List and choose iPhone (or any other type of device/user/group) which you like to free from the captive portal authentication.

Click OK

This exemption can be used for many different requirements such as time-management clocks, printers, digital signage etc. which can't authenticate using CP.

No comments:

Post a Comment