IMPORTANT: You need FortiOS v5.6 or above in order to proceed.
Please log in to your FortiGate web interface and click User & Device > RADIUS Servers on the left menu. Click Create New and configure with:
- Name: guestradius
- Primary Server: *insert radius_server here*
- Primary Shared Secret: *insert radius_secret here*
- Secondary Server: *insert radius_server2 here*
- Secondary Shared Secret: *insert radius_secret here*
- Authentication Method: Specify
- Method: PAP
Click OK to Save. Next, click on User Groups and Create New. Configure with:
- Name: guestgroup
- Type: Firewall
Under Remote groups click Create New and under Remote Server choose guestradius. Click OK to Save.
Next, click Policy & Objects > IP. Click Create New > Address. Configure with:
- Category: Address
- Name: guestonline
- Type: IP/Netmask
- Subnet / IP Range: 10.1.0.0/255.255.255.0
- Interface: any
- Show in Address List: Enabled
Click OK to Save. Next, click Create New > Address again and add each required domain as per below. Please refer to this list.
- Category: Address
- Name: *insert domain here*
- Type: FQDN
- FQDN: *insert domain here*
Click OK to Save.
For each domain you need to do as per above.
Next, under Addresses click Create New > Address Group. Configure with:
- Category: IPv4 Group
- Group Name: guestwhitelist
- Members: click the + button and select all the domains you added earlier.
Click OK to Save.
Next, click WiFi & Switch Controller > SSID on the left. Click Create New > SSID. Configure with:
- Interface Name: guestwifi
- Type: WiFi SSID
- Traffic Mode: Tunnel to Wireless Controller
- Address: 10.1.0.1/255.255.255.0
- DHCP Server: Enabled
- DNS Server: Specify: 8.8.8.8
- SSID: Guest WiFi (or whatever you wish)
- Security Mode: Captive Portal
- Portal Type: Authentication
- Authentication Portal: External: *insert access_url here*
- User Groups: guestgroup
- Broadcast SSID: Enabled
- Block Intra-SSID Traffic: Enabled
- Exempt Destinations/Services: guestwhitelist
- Redirect after Captive Portal: Specific URL: *insert redirect_url here*
Click OK to Save. Next, under IPv4 Policy click Create New. Configure with:
- Name: guestwifi
- Incoming Interface: Guest WiFi (gestwifi)
- Outgoing Interface: wan1 (your WAN connection)
- Source: all
- Destination Address: guestwhitelist
- Schedule: always
- Service: ALL
- Action: ACCEPT
- Enable this policy: Enabled
Click OK to Save. Click Create New again and configure with:
- Name: guestwifionline
- Incoming Interface: Guest WiFi (gestwifi)
- Outgoing Interface: wan1 (your WAN connection)
- Source: guestonline
- Destination Address: all
- Schedule: always
- Service: ALL
- Action: ACCEPT
- Enable this policy: Enabled
Click OK to Save.