NOTE: We recommend v7.1.2-7019 and above. Due to a known issue, versions 7.0.1-5151, 7.1.1-7051 and 7.1.1-7058 are not compatible.
Log in to your SonicWall firewall and click Network at the top. Under IPSEC VPN > Rules and Settings > Settings ensure the Unique Firewall Identifier is the original serial number of the device.
Next, go to Device > Users > Settings and on the Authentication tab configure with:
- User authentication method: RADIUS + Local Users
Click the Configure RADIUS button. Under the Settings header > RADIUS Servers sub-header click ADD... and configure with:
On the Settings tab:
- Host Name or IP Address: *insert radius_server here*
- Port: 1812
- Shared Secret: *insert radius_secret here*
- Confirm Shared Secret: as above
On the Advanced tab:
- User Name Format: Name@Domain
Click Save. Click ADD... again and configure exactly as above with the following change:
- Host Name or IP Address: *insert radius_server2 here*
Click Save again. On the RADIUS Users header:
- Default user group to which all RADIUS users belong: Guest Services
Finally, click Save. Next, under RADIUS Accounting Configuration, under the Servers tab click ADD... and configure with:
On the Settings tab:
- Host Name or IP Address: *insert radius_server here*
- Port: 1813
- Shared Secret: *insert radius_secret here*
- Confirm Shared Secret: as above
On the Advanced tab:
- User Name Format: Name@Domain
Click Save. Click ADD... again and configure exactly as above with the following change:
- Host Name or IP Address: *insert radius_server2 here*
Click Save again. On the User Accounting tab configure:
- Guest users: Enabled
- Include: Domain and local users
- Send interim updates: Every 2 minutes
Click Save.
Next, go to Object > Match Objects > Address Objects and click Add at the top. Here, you will need to add multiple rules to allow pre-authentication traffic to be permitted. For each of the domains you need to add a rule as follows, changing the Name and FQDN Hostname each time. Please refer to this list.
- Name: *domain here*
- Zone Assignment: WAN
- Type: FQDN
- FQDN Hostname: *domain here*
Once all the required entries are added click on the Address Groups tab and Add at the top. Enter a name of guestwifi and then for each of the entries you created above click the -> arrow to move them to the right hand box. Click OK to save.
Next, go to Object > Match Object > Zones and edit the zone you are using for your guest users (typically the WLAN zone). Under the Guest Services tab configure with:
- Enable Guest Service: Enabled
- Enable Captive Portal Authentication: Enabled
Configure the following:
- External Captive Portal Vendor URL: *insert access_url here*
- Captive Portal Welcome URL Source: Custom
- Custom Captive Portal Welcome URL Source: *insert redirect_url here*
- Session Timeout Source: From Radius
- Idle Timeout Source: From Radius
- Radius Authentication Method: PAP Encrypted
Click Save.
Finally, if you are using SonicWall Access Points be sure to create an open SSID to enable guest users to connect.
The configuration is now complete.
IMPORTANT NOTE: You need to add the Unique Firewall ID (LAN MAC address) as well as the WAN MAC address of the Fortigate to the portal under the Venue > Hardware tab. This is to ensure we are able to accept traffic from the device. Additionally, you'll need to set the interface IP (residing on the firewall) that guest users have as their default gateway under the Venue > Options tab > SonicWall guest user gateway IP heading. Without this the login will fail.
The configuration is now complete.