| IMPORTANT: You need FortiOS v6.0 or above in order to proceed. |
Configuration
Please log in to your FortiGate web interface and click User & Authentication > RADIUS Servers on the left menu. Click Create New and configure with:
| Name | guestradius |
| Primary Server | *insert radius_server here* |
| Primary Shared Secret | *insert radius_secret here* |
| Secondary Server | *insert radius_server2 here* |
| Secondary Shared Secret | *insert radius_secret here* |
| Authentication Method | Specify |
| Method | PAP |
Click OK to Save. Next, click on User Groups and Create New. Configure with:
| Name: | guestgroup |
| Type | Firewall |
Under Remote groups click Create New and under Remote Server choose guestradius. Click OK to Save.
Next, click Policy & Objects > Addresses. Click Create New and configure with:
| Category | Address |
| Name | guestonline |
| Type | IP/Netmask |
| IP Range | 10.1.0.0/255.255.255.0 |
| Interface | any |
| Show in Address List | Enabled |
Click OK to Save. Next, click Create New again and add each required domain as per below. Please refer to this list.
| Category | Address |
| Name | *insert domain here* |
| Type | FQDN |
| FQDN | *insert domain here* |
Click OK to Save. For each domain you need to do as per above.
Next, under Addresses click Create New > Address Group. Configure with:
| Category | IPv4 Group |
| Group Name | guestwhitelist |
| Members | click the + button and select all the domains you added earlier. |
Click OK to Save.
Next, click WiFi Controller > SSIDs on the left. Click Create New > SSID. Configure with:
| Name | guestwifi |
| Type | WiFi SSID |
| Traffic mode | Tunnel |
| Addressing mode | 10.1.0.1/255.255.255.0 |
| DHCP Server | Enabled |
| DNS Server | Specify: 8.8.8.8 |
| SSID | Guest WiFi (or whatever you wish) |
| Security Mode | Captive Portal |
| Portal Type | Authentication |
| Authentication Portal: External | *insert access_url here* |
| User Groups | guestgroup |
| Broadcast SSID | Enabled |
| Block Intra-SSID traffic | Enabled |
| Exempt Destinations/Services | guestwhitelist |
| Redirect after Captive Portal | Specific URL: *insert redirect_url here* |
Click OK to Save. Next, click Policy & Objects > Firewall Policy and click Create New. Configure with:
| Name | guestwifi |
| Incoming Interface | Guest WiFi (gestwifi) |
| Outgoing Interface | wan1 (your WAN connection) |
| Source | all |
| Destination Address | guestwhitelist |
| Schedule | always |
| Service | ALL |
| Action | ACCEPT |
| Enable this policy | Enabled |
Click OK to Save. Click Create New again and configure with:
| Name | guestwifionline |
| Incoming Interface | Guest WiFi (gestwifi) |
| Outgoing Interface | wan1 (your WAN connection) |
| Source | guestonline |
| Destination Address | all |
| Schedule | always |
| Service | ALL |
| Action | ACCEPT |
| Enable this policy | Enabled |
Click OK to Save.
The configuration is now complete.
| SecurePass Note: To enable our SecurePass WiFi solution please complete the steps below. This enables a secure, seamless WiFi connection for repeat users. |
Secure WiFi RADIUS
Please log in to your FortiGate web interface and click User & Authentication > RADIUS Servers on the left menu. Click Create New and configure with:
| Name | guestradius |
| Primary Server | *insert radius_server here* |
| Primary Shared Secret | *insert radius_secret here* |
| Secondary Server | *insert radius_server2 here* |
| Secondary Shared Secret | *insert radius_secret here* |
| Authentication Method | Specify |
| Method | PAP |
Click OK to Save.
Click WiFi Controller > SSIDs on the left menu. Click Create New > SSID and configure with:
| Name: | securewifi |
| Traffic mode: | Tunnel |
| Addressing mode: | 10.10.10.1/255.255.255.0 (or whatever you wish) |
| DHCP Server: | Enabled |
| Address range: | 10.10.10.2 - 10.10.10.254 (as above) |
| Netmask: | 255.255.255.0 |
| Default gateway: | Same as Interface IP |
| DNS server: | Same as System DNS |
| Lease Time: | 14400 |
| SSID: | Secure WiFi (or whatever you wish) |
| Broadcast SSID: | Enabled |
| Security mode: | WPA2 Enterprise |
| Authentication: | RADIUS Server - select secureradius |
| Block Intra-SSID traffic: | Enabled |
Click OK to Save.
Click Policy & Objects > Firewall Policy. Click Create new and configure with:
| Name: | securewifi-to-internet |
| Incoming interface: | securewifi |
| Outgoing interface: | wan1 (your WAN connection) |
| Source: | securewifi address |
| Destination: | ALL |
| Service: | ALL |
Click OK to Save.
At present the FortiGate web interface does not allow you to configure the required parameters. To continue, create a CLI console session (top right) and input the following:
| FortiGate CLI Console: | config wireless-controller hotspot20 anqp-venue-name edit "Fortinet_Venue" config value-list edit 1 set lang "eng" set value "Secure WiFi" next end next end config wireless-controller hotspot20 anqp-venue-url end config wireless-controller hotspot20 anqp-network-auth-type end config wireless-controller hotspot20 anqp-roaming-consortium edit "Fortinet_RCOI" config oi-list edit 1 set oi "5A03BA0000" next end next end config wireless-controller hotspot20 anqp-nai-realm edit "Fortinet_NAI_Realm" config nai-list edit "Fortinet_NAI_Realm" set nai-realm "securewifi.purple.ai" config eap-method edit 1 set method eap-ttls config auth-param edit 1 set id non-eap-inner-auth set val non-eap-pap next end next end next end next end config wireless-controller hotspot20 anqp-ip-address-type edit "Fortinet_Address_Type" set ipv4-address-type single-NATed-private next end config wireless-controller hotspot20 hs-profile edit "SecureWiFi" set domain-name "securewifi.purple.ai" set roaming-consortium Fortinet_RCOI set nai-realm Fortinet_NAI_Realm set ip-addr-type Fortinet_Address_Type set access-network-internet enable next end config wireless-controller vap edit securewifi set hotspot20-profile SecureWiFi next end |
Configuration Complete
The configuration is now complete.
Free Guest WiFi
Purple App
SecurePass
Splash Access