Configuration Instructions
Please log in to your Fortinet WLC controller and click Configuration > RADIUS on the left menu.
Click on Add and configure as per the following:
RADIUS Profile Name | guestwifi1 |
RADIUS IP | *insert radius_server_ip here* |
RADIUS Secret | *insert radius_secret here* |
RADIUS Port | 1812 |
Remote RADIUS Server | Off |
MAC Address Delimiter | Hyphen (-) |
Password Type | MacAddress |
Called-Station-ID Type | MacAddress |
COA | On |
Click on OK and then Add. Configure as per the following:
RADIUS Profile Name | guestwifi2 |
RADIUS IP | *insert radius_server2_ip here* |
RADIUS Secret | *insert radius_secret here* |
RADIUS Port | 1812 |
Remote RADIUS Server | Off |
MAC Address Delimiter | Hyphen (-) |
Password Type | MacAddress |
Called-Station-ID Type | MacAddress |
COA | On |
Click OK and then on the left menu click QoS Settings. Select the QoS and Firewall Rules tab.
Click Add and configure as per the following:
ID | 1 |
Destination IP | *insert walled_garden_ip here* Match: Ticked |
Destination Netmask | 255.255.255.255 |
Firewall Filter ID | GUEST Match: Ticked |
QoS Protocol | other |
Action | FORWARD |
Traffic Control | On |
Press OK to Save, and then click Add again. Configure as per the following:
ID | 2 |
Source IP | *insert walled_garden_ip here* Match: Ticked |
Source Netmask | 255.255.255.255 |
Firewall Filter ID | GUEST Match: Ticked |
QoS Protocol | other |
Action | FORWARD |
Traffic Control | On |
Press OK to Save and then on the left menu, under Security click on Captive Portal. Select the Captive Portal Profiles tab and then click Add. Configure as per the following:
CP Name | guestwifi |
Authentication Type | radius |
Primary Authentication | guestwifi1 |
Secondary Authentication | guestwifi2 |
Primary Accounting | guestwifi1 |
Secondary Accounting | guestwifi2 |
External Portal URL | *insert access_url here* |
Public IP of Controller | Enter your public IP of the controller (see important note below) |
Session Timeout | 1440 |
Activity Timeout | 60 |
CNA Bypass | Off |
IMPORTANT NOTE: You will also need to set up an inbound port forward rule on your firewall/router to forward TCP port 443 to your internal controller IP. This is required so that we can submit authentication requests from our cloud servers. Without this guest authentication cannot proceed and the user will be unable to log in. Contact support if you require help with this.
Click on Add to Save and then on the left menu, under Security click on Profile then Add. Configure as per the following:
Security Profile Name | guestwifi |
L2 Modes Allowed | Clear |
Captive Portal | WebAuth |
Captive Portal Profile | guestwifi |
Captive Portal Authentication Method | external |
Firewall Capability | configured |
Passthrough Firewall Filter ID | GUEST |
Click OK to Save and then on the left menu, under Wireless click on ESS then Add. Configure as per the following:
ESS Profile | guestwifi |
Enable/Disable | Enable |
SSID | Guest WiFi (or whatever you wish) |
Security Profile | guestwifi |
Accounting Interim Interval | 600 |
SSID Broadcast | On |
Dataplane Mode | Tunnelled |
Click OK to Save.