Important
Configuration
Please log in to your FortiGate web interface and click User & Authentication > RADIUS Servers on the left menu. Click Create New and configure with:
| Name | guestradius |
| Primary Server | *insert radius_server here* |
| Primary Shared Secret | *insert radius_secret here* |
| Secondary Server | *insert radius_server2 here* |
| Secondary Shared Secret | *insert radius_secret here* |
| Authentication Method | Specify |
| Method | PAP |
Click OK to Save. Next, click on User Groups and Create New. Configure with:
| Name: | guestgroup |
| Type | Firewall |
Under Remote groups click Create New and under Remote Server choose guestradius. Click OK to Save.
Next, click Policy & Objects > Addresses. Click Create New and configure with:
| Category | Address |
| Name | guestonline |
| Type | IP/Netmask |
| IP Range | 10.1.0.0/255.255.255.0 |
| Interface | any |
| Show in Address List | Enabled |
Click OK to Save. Next, click Create New again and add each required domain as per below. Please refer to this list.
| Category | Address |
| Name | *insert domain here* |
| Type | FQDN |
| FQDN | *insert domain here* |
Click OK to Save. For each domain you need to do as per above.
Next, under Addresses click Create New > Address Group. Configure with:
| Category | IPv4 Group |
| Group Name | guestwhitelist |
| Members | click the + button and select all the domains you added earlier. |
Click OK to Save.
Next, click WiFi Controller > SSIDs on the left. Click Create New > SSID. Configure with:
| Name | guestwifi |
| Type | WiFi SSID |
| Traffic mode | Tunnel |
| Addressing mode | 10.1.0.1/255.255.255.0 |
| DHCP Server | Enabled |
| DNS Server | Specify: 8.8.8.8 |
| SSID | Guest WiFi (or whatever you wish) |
| Security Mode | Captive Portal |
| Portal Type | Authentication |
| Authentication Portal: External | *insert access_url here* |
| User Groups | guestgroup |
| Broadcast SSID | Enabled |
| Block Intra-SSID traffic | Enabled |
| Exempt Destinations/Services | guestwhitelist |
| Redirect after Captive Portal | Specific URL: *insert redirect_url here* |
Click OK to Save. Next, under IPv4 Policy click Create New. Configure with:
| Name | guestwifi |
| Incoming Interface | Guest WiFi (gestwifi) |
| Outgoing Interface | wan1 (your WAN connection) |
| Source | all |
| Destination Address | guestwhitelist |
| Schedule | always |
| Service | ALL |
| Action | ACCEPT |
| Enable this policy | Enabled |
Click OK to Save. Click Create New again and configure with:
| Name | guestwifionline |
| Incoming Interface | Guest WiFi (gestwifi) |
| Outgoing Interface | wan1 (your WAN connection) |
| Source | guestonline |
| Destination Address | all |
| Schedule | always |
| Service | ALL |
| Action | ACCEPT |
| Enable this policy | Enabled |
Click OK to Save.
The configuration is now complete.
Secure WiFi RADIUS
Please log in to your FortiGate web interface and click User & Authentication > RADIUS Servers on the left menu. Click Create New and configure with:
| Name | guestradius |
| Primary Server | *insert radius_server here* |
| Primary Shared Secret | *insert radius_secret here* |
| Secondary Server | *insert radius_server2 here* |
| Secondary Shared Secret | *insert radius_secret here* |
| Authentication Method | Specify |
| Method | PAP |
Click OK to Save.
Click WiFi Controller > SSIDs on the left menu. Click Create New > SSID and configure with:
| Name: | securewifi |
| Traffic mode: | Tunnel |
| Addressing mode: | 10.10.10.1/255.255.255.0 (or whatever you wish) |
| DHCP Server: | Enabled |
| Address range: | 10.10.10.2 - 10.10.10.254 (as above) |
| Netmask: | 255.255.255.0 |
| Default gateway: | Same as Interface IP |
| DNS server: | Same as System DNS |
| Lease Time: | 14400 |
| SSID: | Secure WiFi (or whatever you wish) |
| Broadcast SSID: | Enabled |
| Security mode: | WPA2 Enterprise |
| Authentication: | RADIUS Server - select secureradius |
| Block Intra-SSID traffic: | Enabled |
Click OK to Save.
Click Policy & Objects > Firewall Policy. Click Create new and configure with:
| Name: | securewifi-to-internet |
| Incoming interface: | securewifi |
| Outgoing interface: | wan1 (your WAN connection) |
| Source: | securewifi address |
| Destination: | ALL |
| Service: | ALL |
Click OK to Save.
At present the FortiGate web interface does not allow you to configure the required parameters. To continue, create a CLI console session (top right) and input the following:
config wireless-controller hotspot20 anqp-venue-name
edit "Fortinet_Venue"
config value-list
edit 1
set lang "eng"
set value "Secure WiFi"
next
end
next
end
config wireless-controller hotspot20 anqp-venue-url
end
config wireless-controller hotspot20 anqp-network-auth-type
end
config wireless-controller hotspot20 anqp-roaming-consortium
edit "Fortinet_RCOI"
config oi-list
edit 1
set oi "5A03BA0000"
next
end
next
end
config wireless-controller hotspot20 anqp-nai-realm
edit "Fortinet_NAI_Realm"
config nai-list
edit "Fortinet_NAI_Realm"
set nai-realm "securewifi.purple.ai"
config eap-method
edit 1
set method eap-ttls
config auth-param
edit 1
set id non-eap-inner-auth
set val non-eap-pap
next
end
next
end
next
end
next
end
config wireless-controller hotspot20 anqp-ip-address-type
edit "Fortinet_Address_Type"
set ipv4-address-type single-NATed-private
next
end
config wireless-controller hotspot20 hs-profile
edit "SecureWiFi"
set domain-name "securewifi.purple.ai"
set roaming-consortium Fortinet_RCOI
set nai-realm Fortinet_NAI_Realm
set ip-addr-type Fortinet_Address_Type
set access-network-internet enable
next
end
config wireless-controller vap
edit securewifi
set hotspot20-profile SecureWiFi
next
end
Configuration Complete
The configuration is now complete.