fortigate wireguard - yar145/mytestrepo1 GitHub Wiki
FortiToken Cloud FortiAuthenticator
Technical Tip: Fortigate LDAP Authentication towards FreeIPA
WireGuard: Next Generation Kernel Network Tunnel
Deploying FortiGate-VM using Terraform
SD-WAN Transit Gateway Connect
FortiOS FGCP AP HA (Single AZ) in AWS
SD-WAN Transit Gateway Connect
The typical captive portal workflow for an end-user with a FortiGate/FortiWiFi
End-user browser attempts to go through the FortiGate/FortiWiFi to access a website.
-
(Optional step) FortiGate/FortiWiFi sends a MAC Authentication Bypass (MAB) RADIUS authentication request using the end-user's MAC address to the FortiAuthenticator.
-
(Optional step) FortiAuthenticator processes the MAB request. It return an Access-Accept response and authorized group name RADIUS attributes if the MAC address is authorized, or an Access-Accept response without the authorized group name RADIUS attribute otherwise.
-
(Optional step) Upon an Access-Accept response and correct group membership, the end-user browser bypasses the captive portal and is allowed through to the requested website.
Workflow stops here.
- FortiGate/FortiWiFi intercepts the request and redirects the browser to the FortiAuthenticator's captive portal.
The redirect takes the form of an HTTPS request including parameters containing information unique to this particular authentication session.
Here is a FortiGate/FortiWiFi redirect sample: https://192.168.30.47/portal/?post=http://192.168.30.1:1000/fgtauth&magic=040d028c9aaae999&usermac=6...
-
FortiAuthenticator successfully authenticates the end-user.
-
FortiAuthenticator redirects the end-user browser to the FortiGate/FortiWiFi's captive portal API specified in the 'post' parameter of the original captive portal redirect, e.g. http://192.168.30.1:1000/fgtauth in the above sample.
The API call also contains the 'magic' parameter (also from the original redirect), in addition to a username and password.
-
FortiGate/FortiWiFi uses the 'magic' parameter to associate the API request to the firewall session that triggered the original redirect and triggers a RADIUS authentication request to the FortiAuthenticator using the username and password from the API request.
-
FortiAuthenticator verifies the credentials from the RADIUS authentication request.
If valid, it returns a RADIUS Access-Accept response containing the appropriate RADIUS attributes.
- FortiGate/FortiWiFi redirects the end-user browser to a website.
At the website of Fortigate I have found the following:
http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/
The web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a POST message of the format https://<FGT_IP>:1000/fgtauth with data magic=session_id&username=&password=. (The magic value was provided in the initial FortiGate request to the web server.) The script used for this example is here.
I have seen that the initial redirect looks something like:
So the "magic" id is provided by the initial redirect from the fortigate.
Configuring an external captive portal
Configuring an external captive portal
An external captive portal is a web page on a web server as opposed to the built-in captive portal on FortiGate. The essential part of the web portal page is a script that gathers the user's logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a "walled garden".
On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data magic=session_id&username=&password=. (The magic value was provided in the initial FortiGate request to the web server.)
To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:
config user setting
set auth-secure-http enable
end
To configure an auth-mac portal in tunnel mode - CLI:
To support a MAC authentication portal (such as Cisco ISE authentication) in tunnel mode, you must set portal-type to auth-mac.
config wireless-controller vap edit wifi-cap set ssid "fortinet-guest" set security captive-portal set portal-type auth-mac set radius-mac-auth enable set radius-mac-auth-server "CISCO_ISE" set radius-mac-auth-usergroups "registered" set external-web "https://<ISE_Portal>:8443/portal/g?p=123456789" next end
MAC Registration Redirection (Ruckus Cloudpath) Configuring MAC Registration Lists in the Cloudpath UI MAC Registration Process Cloudpath Enrollment System MAC Registraon &onfiguraon Guide, 5.9R4 Cloudpath Enrollment System MAC n Guide, 5.7 Configuring Cloudpath ES to Support MAC Registration
Cloudpath Guest Onboarding Using SmartZone and MAC Authentication
Captive Portal Security Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external captive portal on Bridge mode SSID
How to enable mac address bypass on FortiGate interfaces
show system interface
config system interface edit "wqtn.23.FG-gues" set vdom "root" set description "Quarantine VLAN" set security-mode captive-portal set device-identification enable set snmp-index 24 set color 6 set interface "FG-guest" set vlanid 4093 next config system interface edit "wqtn.23.FG-gues" set security-mac-auth-bypass enable