IMPORTANT: You need FortiOS v5.6 or above in order to proceed.
Please log in to your FortiGate web interface and click User & Device > RADIUS Servers on the left menu. Click Create New and configure with:
- Name: guestradius
- Primary Server: *insert radius_server here*
- Primary Shared Secret: *insert radius_secret here*
- Secondary Server: *insert radius_server2 here*
- Secondary Shared Secret: *insert radius_secret here*
- Authentication Method: Specify
- Method: PAP
Click OK to Save. Next, click on User Groups and Create New. Configure with:
- Name: guestgroup
- Type: Firewall
Under Remote groups click Create New and under Remote Server choose guestradius. Click OK to Save.
Next, click Policy & Objects > IP. Click Create New > Address. Configure with:
- Category: Address
- Name: guestonline
- Type: IP/Netmask
- Subnet / IP Range: 10.1.0.0/255.255.255.0
- Interface: any
- Show in Address List: Enabled
Click OK to Save. Next, click Create New > Address again and configure with:
- Category: Address
- Name: *insert access_domain here*
- Type: FQDN
- FQDN: *insert access_domain here*
Click OK to Save.
For each domain below you need to do as per above.
- r1-portal.venuewifi.com
- r2-portal.venuewifi.com
- r3-portal.venuewifi.com
- payment-r1.venuewifi.com
- payment-r2.venuewifi.com
- payment-r3.venuewifi.com
- api.openweathermap.org
- d1ldbb6wxu8wdm.cloudfront.net
- api.stripe.com
Additionally. if you wish to support social network logins, you also need to add the domains below for each network you plan to support.
Facebook | facebook.com www.facebook.com m.facebook.com scontent-lhr3-1.xx.fbcdn.net fbstatic-a.akamaihd.net connect.facebook.net |
Twitter | twitter.com www.twitter.com api.twitter.com abs.twimg.com abs-0.twimg.com |
LinkedIn | linkedin.com www.linkedin.com touch.linkedin.com static.licdn.com |
Instagram | instagram.com www.instagram.com instagramstatic-a.akamaihd.net |
Weibo | weibo.com www.weibo.com login.sina.com.cn |
VKontakte | vk.me www.vk.me vk.com www.vk.com |
Next, under Addresses click Create New > Address Group. Configure with:
- Category: IPv4 Group
- Group Name: guestwhitelist
- Members: click the + button and select all the domains you added earlier.
Click OK to Save.
Next, click WiFi & Switch Controller > SSID on the left. Click Create New > SSID. Configure with:
- Interface Name: guestwifi
- Type: WiFi SSID
- Traffic Mode: Tunnel to Wireless Controller
- Address: 10.1.0.1/255.255.255.0
- DHCP Server: Enabled
- DNS Server: Specify: 8.8.8.8
- SSID: Guest WiFi (or whatever you wish)
- Security Mode: Captive Portal
- Portal Type: Authentication
- Authentication Portal: External: *insert access_url here*
- User Groups: guestgroup
- Broadcast SSID: Enabled
- Block Intra-SSID Traffic: Enabled
- Exempt Destinations/Services: guestwhitelist
- Redirect after Captive Portal: Specific URL: *insert redirect_url here*
Click OK to Save. Next, under IPv4 Policy click Create New. Configure with:
- Name: guestwifi
- Incoming Interface: Guest WiFi (gestwifi)
- Outgoing Interface: wan1 (your WAN connection)
- Source: all
- Destination Address: guestwhitelist
- Schedule: always
- Service: ALL
- Action: ACCEPT
- Enable this policy: Enabled
Click OK to Save. Click Create New again and configure with:
- Name: guestwifionline
- Incoming Interface: Guest WiFi (gestwifi)
- Outgoing Interface: wan1 (your WAN connection)
- Source: guestonline
- Destination Address: all
- Schedule: always
- Service: ALL
- Action: ACCEPT
- Enable this policy: Enabled
Click OK to Save.