Welcome to Purple Support

Fortinet WLC (System Director)

  • Updated

Configuration Instructions

Please log in to your Fortinet WLC controller and click Configuration > RADIUS on the left menu.

Click on Add and configure as per the following:

RADIUS Profile Name guestwifi1
RADIUS IP *insert radius_server_ip here*
RADIUS Secret *insert radius_secret here*
RADIUS Port 1812
Remote RADIUS Server Off
MAC Address Delimiter Hyphen (-)
Password Type MacAddress
Called-Station-ID Type MacAddress
COA On

Click on OK and then Add. Configure as per the following:

RADIUS Profile Name guestwifi2
RADIUS IP *insert radius_server2_ip here*
RADIUS Secret *insert radius_secret here*
RADIUS Port 1812
Remote RADIUS Server Off
MAC Address Delimiter Hyphen (-)
Password Type MacAddress
Called-Station-ID Type MacAddress
COA On

Click OK and then on the left menu click QoS Settings. Select the QoS and Firewall Rules tab.

Click Add and configure as per the following:

ID 1
Destination IP *insert walled_garden_ip here* Match: Ticked
Destination Netmask 255.255.255.255
Firewall Filter ID GUEST Match: Ticked
QoS Protocol other
Action FORWARD
Traffic Control On

Press OK to Save, and then click Add again. Configure as per the following:

ID 2
Source IP *insert walled_garden_ip here* Match: Ticked
Source Netmask 255.255.255.255
Firewall Filter ID GUEST Match: Ticked
QoS Protocol other
Action FORWARD
Traffic Control On

Press OK to Save and then on the left menu, under Security click on Captive Portal. Select the Captive Portal Profiles tab and then click Add. Configure as per the following:

CP Name guestwifi
Authentication Type radius
Primary Authentication guestwifi1
Secondary Authentication guestwifi2
Primary Accounting guestwifi1
Secondary Accounting guestwifi2
External Portal URL *insert access_url here*
Public IP of Controller Enter your public IP of the controller (see important note below)
Session Timeout 1440
Activity Timeout 60
CNA Bypass Off

IMPORTANT NOTE: You will also need to set up an inbound port forward rule on your firewall/router to forward TCP port 443 to your internal controller IP. This is required so that we can submit authentication requests from our cloud servers. Without this guest authentication cannot proceed and the user will be unable to log in. Contact support if you require help with this.

Click on Add to Save and then on the left menu, under Security click on Profile then Add. Configure as per the following:

Security Profile Name guestwifi
L2 Modes Allowed Clear
Captive Portal WebAuth
Captive Portal Profile guestwifi
Captive Portal Authentication Method external
Firewall Capability configured
Passthrough Firewall Filter ID GUEST

Click OK to Save and then on the left menu, under Wireless click on ESS then Add. Configure as per the following:

ESS Profile guestwifi
Enable/Disable Enable
SSID Guest WiFi (or whatever you wish)
Security Profile guestwifi
Accounting Interim Interval 600
SSID Broadcast On
Dataplane Mode Tunnelled

Click OK to Save.

Share online:
Was this article helpful?
0 out of 0 found this helpful