| Important Notice: Your controller must be running 10.21 or above. |
Configuration Instructions
Please log in to your Fortinet WLC controller and click Configuration > RADIUS on the left menu.
Click on Add and configure as per the following:
| RADIUS Profile Name | guestwifi1 |
| RADIUS IP | *insert radius_server_ip here* |
| RADIUS Secret | *insert radius_secret here* |
| RADIUS Port | 1812 |
| Remote RADIUS Server | Off |
| MAC Address Delimiter | Hyphen (-) |
| Password Type | MacAddress |
| Called-Station-ID Type | MacAddress |
| COA | On |
Click on OK and then Add. Configure as per the following:
| RADIUS Profile Name | guestwifi2 |
| RADIUS IP | *insert radius_server2_ip here* |
| RADIUS Secret | *insert radius_secret here* |
| RADIUS Port | 1812 |
| Remote RADIUS Server | Off |
| MAC Address Delimiter | Hyphen (-) |
| Password Type | MacAddress |
| Called-Station-ID Type | MacAddress |
| COA | On |
Click OK and then on the left menu click QoS Settings. Select the QoS and Firewall Rules tab.
Click Add and configure as per the following:
| ID | 1 |
| Destination IP | *insert walled_garden_ip here* Match: Ticked |
| Destination Netmask | 255.255.255.255 |
| Firewall Filter ID | GUEST Match: Ticked |
| QoS Protocol | other |
| Action | FORWARD |
| Traffic Control | On |
Press OK to Save, and then click Add again. Configure as per the following:
| ID | 2 |
| Source IP | *insert walled_garden_ip here* Match: Ticked |
| Source Netmask | 255.255.255.255 |
| Firewall Filter ID | GUEST Match: Ticked |
| QoS Protocol | other |
| Action | FORWARD |
| Traffic Control | On |
Press OK to Save and then on the left menu, under Security click on Captive Portal. Select the Captive Portal Profiles tab and then click Add. Configure as per the following:
| CP Name | guestwifi |
| Authentication Type | radius |
| Primary Authentication | guestwifi1 |
| Secondary Authentication | guestwifi2 |
| Primary Accounting | guestwifi1 |
| Secondary Accounting | guestwifi2 |
| External Portal URL | *insert access_url here* |
| Public IP of Controller | Enter your public IP of the controller (see important note below) |
| Session Timeout | 1440 |
| Activity Timeout | 60 |
| CNA Bypass | Off |
| IMPORTANT NOTE: You will also need to set up an inbound port forward rule on your firewall/router to forward TCP port 443 to your internal controller IP. This is required so that we can submit authentication requests from our cloud servers. Without this guest authentication cannot proceed and the user will be unable to log in. Contact support if you require help with this. |
Click on Add to Save and then on the left menu, under Security click on Profile then Add. Configure as per the following:
| Security Profile Name | guestwifi |
| L2 Modes Allowed | Clear |
| Captive Portal | WebAuth |
| Captive Portal Profile | guestwifi |
| Captive Portal Authentication Method | external |
| Firewall Capability | configured |
| Passthrough Firewall Filter ID | GUEST |
Click OK to Save and then on the left menu, under Wireless click on ESS then Add. Configure as per the following:
| ESS Profile | guestwifi |
| Enable/Disable | Enable |
| SSID | Guest WiFi (or whatever you wish) |
| Security Profile | guestwifi |
| Accounting Interim Interval | 600 |
| SSID Broadcast | On |
| Dataplane Mode | Tunnelled |
Click OK to Save.
Additional Configuration
Click on Add and set the following:
| Classification: | L7 |
Click on Custom Web Applications and then click the + button. Add the required domains as described below. Please refer to this list.
| Group | Web Applications |
| Type | Host Name |
| Matching Pattern | *insert domain here* |
You need to select each of the entries you just added and click the Top button to move them to the top of the list.
Next, under Global on the left, choose Authentication.
Click on guest1 and change the following:
| Default Protocol | PAP |
Click on Save to continue.
Next, click on WLAN Services on the left and then click on GuestWLAN.
Under the Auth & Acct tab, click on Configure... and then set the following:
| EWC IP & Port | Ticked |
| Associated BSSID | Ticked |
| Station's MAC address | Ticked |
| Use HTTPS for User Connections | Unticked |
| Send Successful Login To: | custom specific URL: *insert redirect_url here* |
Click on Close to save.
Next, click on the guest1 under Server and choose the Configure button just to the right. Set the following:
| Auth type | PAP |
Click on OK to save.
Finally, click on Network on the left and then Topologies. Click on the GuestTopology entry and then choose the Exception Filters tab.
Click on the Add button. Enter the following:
| IP/subnet:port | 10.1.0.1/32:80 |
| Protocol | TCP |
| In Filter | Destination (dest) |
Click OK to save.
Free Guest WiFi
Purple App
SecurePass
Splash Access