Important
Configuration
Please log in to your FortiGate web interface and click User & Device > RADIUS Servers on the left menu. Click Create New and configure with:
Name | guestradius |
Primary Server | *insert radius_server here* |
Primary Shared Secret | *insert radius_secret here* |
Secondary Server | *insert radius_server2 here* |
Secondary Shared Secret | *insert radius_secret here* |
Authentication Method | Specify |
Method | PAP |
Click OK to Save. Next, click on User Groups and Create New. Configure with:
Name: | guestgroup |
Type | Firewall |
Under Remote groups click Create New and under Remote Server choose guestradius. Click OK to Save.
Next, click Policy & Objects > IP. Click Create New > Address. Configure with:
Category | Address |
Name | guestonline |
Type | IP/Netmask |
Subnet / IP Range | 10.1.0.0/255.255.255.0 |
Interface | any |
Show in Address List | Enabled |
Click OK to Save. Next, click Create New > Address again and add each required domain as per below. Please refer to this list.
Category | Address |
Name | *insert domain here* |
Type | FQDN |
FQDN | *insert domain here* |
Click OK to Save. For each domain you need to do as per above.
Next, under Addresses click Create New > Address Group. Configure with:
Category | IPv4 Group |
Group Name | guestwhitelist |
Members | click the + button and select all the domains you added earlier. |
Click OK to Save.
Next, click WiFi & Switch Controller > SSID on the left. Click Create New > SSID. Configure with:
Interface Name | guestwifi |
Type | WiFi SSID |
Traffic Mode | Tunnel to Wireless Controller |
Address | 10.1.0.1/255.255.255.0 |
DHCP Server | Enabled |
DNS Server | Specify: 8.8.8.8 |
SSID | Guest WiFi (or whatever you wish) |
Security Mode | Captive Portal |
Portal Type | Authentication |
Authentication Portal: External | *insert access_url here* |
User Groups | guestgroup |
Broadcast SSID | Enabled |
Block Intra-SSID Traffic | Enabled |
Exempt Destinations/Services | guestwhitelist |
Redirect after Captive Portal | Specific URL: *insert redirect_url here* |
Click OK to Save. Next, under IPv4 Policy click Create New. Configure with:
Name | guestwifi |
Incoming Interface | Guest WiFi (gestwifi) |
Outgoing Interface | wan1 (your WAN connection) |
Source | all |
Destination Address | guestwhitelist |
Schedule | always |
Service | ALL |
Action | ACCEPT |
Enable this policy | Enabled |
Click OK to Save. Click Create New again and configure with:
Name | guestwifionline |
Incoming Interface | Guest WiFi (gestwifi) |
Outgoing Interface | wan1 (your WAN connection) |
Source | guestonline |
Destination Address | all |
Schedule | always |
Service | ALL |
Action | ACCEPT |
Enable this policy | Enabled |
Click OK to Save.