Fortinet (FortiGate)

IMPORTANT: You need FortiOS v5.6 or above in order to proceed.


Please log in to your FortiGate web interface and click User & Device > RADIUS Servers on the left menu. Click Create New and configure with:

  • Name: guestradius
  • Primary Server: *insert radius_server here*
  • Primary Shared Secret: *insert radius_secret here*
  • Secondary Server: *insert radius_server2 here*
  • Secondary Shared Secret: *insert radius_secret here*
  • Authentication Method: Specify
  • Method: PAP


Click OK to Save. Next, click on User Groups and Create New. Configure with:

  • Name: guestgroup
  • Type: Firewall


Under Remote groups click Create New and under Remote Server choose guestradius. Click OK to Save.


Next, click Policy & Objects > IP. Click Create New > Address. Configure with:

  • Category: Address
  • Name: guestonline
  • Type: IP/Netmask
  • Subnet / IP Range: 10.1.0.0/255.255.255.0
  • Interface: any
  • Show in Address List: Enabled


Click OK to Save. Next, click Create New > Address again and configure with:

  • Category: Address
  • Name: *insert access_domain here*
  • Type: FQDN
  • FQDN: *insert access_domain here*


Click OK to Save


For each domain below you need to do as per above.

  • r1-portal.venuewifi.com
  • r2-portal.venuewifi.com
  • r3-portal.venuewifi.com
  • payment-r1.venuewifi.com
  • payment-r2.venuewifi.com
  • payment-r3.venuewifi.com
  • api.openweathermap.org
  • d1ldbb6wxu8wdm.cloudfront.net
  • api.stripe.com

Additionally. if you wish to support social network logins, you also need to add the domains below for each network you plan to support.

Facebook
facebook.com
www.facebook.com
m.facebook.com
scontent-lhr3-1.xx.fbcdn.net
fbstatic-a.akamaihd.net
connect.facebook.net
Twitter
twitter.com
www.twitter.com
api.twitter.com
abs.twimg.com
abs-0.twimg.com
LinkedIn
linkedin.com
www.linkedin.com
touch.linkedin.com
static.licdn.com
Instagram
instagram.com
www.instagram.com
instagramstatic-a.akamaihd.net
Weibo
weibo.com
www.weibo.com
login.sina.com.cn
VKontakte
vk.me
www.vk.me
vk.com
www.vk.com

 

Next, under Addresses click Create New > Address Group. Configure with:

  • Category: IPv4 Group
  • Group Name: guestwhitelist
  • Members: click the + button and select all the domains you added earlier.


Click OK to Save.


Next, click WiFi & Switch Controller > SSID on the left. Click Create New > SSID. Configure with:

  • Interface Name: guestwifi
  • Type: WiFi SSID
  • Traffic Mode: Tunnel to Wireless Controller
  • Address: 10.1.0.1/255.255.255.0
  • DHCP Server: Enabled
  • DNS Server: Specify: 8.8.8.8
  • SSID: Guest WiFi (or whatever you wish)
  • Security Mode: Captive Portal
  • Portal Type: Authentication
  • Authentication Portal: External: *insert access_url here*
  • User Groups: guestgroup
  • Broadcast SSID: Enabled
  • Block Intra-SSID Traffic: Enabled
  • Redirect after Captive Portal: Specific URL: *insert redirect_url here*


Click OK to Save. Next, under IPv4 Policy click Create New. Configure with:

  • Name: guestwifi
  • Incoming Interface: Guest WiFi (gestwifi)
  • Outgoing Interface: wan1 (your WAN connection)
  • Source: all
  • Destination Address: guestwhitelist
  • Schedule: always
  • Service: ALL
  • Action: ACCEPT
  • Enable this policy: Enabled


Click OK to Save. Click Create New again and configure with:

  • Name: guestwifionline
  • Incoming Interface: Guest WiFi (gestwifi)
  • Outgoing Interface: wan1 (your WAN connection)
  • Source: guestonline
  • Destination Address: all
  • Schedule: always
  • Service: ALL
  • Action: ACCEPT
  • Enable this policy: Enabled


Click OK to Save



Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.