Fortigate Configuration Guide

The following instructions outline how to setup a ForitNet FortiGate network for the Smart WiFi Platform.  This guide covers details such as configuring RADIUS, walled garden entries, and captive portals.  This guide assumes that your Fortigate is already operational and on a live network. Please make sure any firewall rules, web content filters, and other security measures have been configured to interface with the platform.

Checklist before proceeding with the Fortigate configuration

  1. The MAC of all APs that will be broadcasting the Guest WiFi signal need to be reported to support or guests will receive a hotspot deactivated message.
  2. You will need Fortigate OS v5.6 or above to complete the guide.


    1. Login to your Fortigate appliance
    2. Use the navigation panel to the left to open User & Authentication and click on RADIUS Servers
    3. Click Create New and configure with the following settings
      • Name: SmartWiFi
      • Authentication Method: Specify
      • Method: PAP
      • Primary Server IP: Contact support for your IP
      • Secret: Contact support for your secret
      • Secondary Server IP: Contact support for your IP
      • Secret: Contact support for your secret
      • Click OK to save the RADIUS Server
    4. Using the navigation panel to the left click on User Groups under the User & Authentication section
    5. Click Create New and configure with the following settings
      • Name: SmartWiFi
      • Type: Firewall
      • Remote Groups: Click Add and choose Smart WiFi as the Remote Server
      • Click OK to add the Remote Server
      • Click OK to save the User Group.
    6. Use the navigation panel to the left to open Policy & Objects and click on Addresses
    7. Click Create New > Address Group and configure with the following settings
      1. Group Name: SmartWiFi
      2. Type: Group
      3. Members: Click the + icon to add to the group
      4. Using the Select Entries menu click +Create > Address and configure with the following settings
        • Name: SmartWiFi Online
        • Type: Subnet
        • IP Range: 10.5.50.0/255.255.255.0
        • Interface: Any
        • Click OK to save the Address
      5. Click the +Create > Address again and configure with the following settings
        • Name: insert wildcard domain here (Example- *.smartwifiplatform.com)
        • Type: FQDN
        • FQDN: insert wildcard domain here (Example- *.smartwifiplatform.com)
        • Click OK to save the Address
      6. Complete step 7.5 for each wildcard entry found in the default walled garden entries for the platform.

        Following the process outlined above in step 7.5 be sure to include any additional entries provided by support.

      7. Using the Select Entries menu add all the entries created in steps 7.4 and 7.5 to the group
      8. Click OK to Save the Address Group
    8. Use the navigation panel to the left to open WiFi & Switch Controller and click on SSIDs
    9. Click Create New > SSID and configure with the following settings
      • Name: SmartWiFi
      • Type: WiFi SSID
      • Traffic mode: Tunnel
      • IP/Netmask: 10.5.50.1/255.255.255.0
      • DHCP Server: Enabled
      • DNS Server: Specify- 8.8.8.8
      • SSID: Guest WiFi (Or whatever name you want)
      • Broadcast SSID: Enabled
      • Security Mode: Captive Portal
      • Portal Type: Authentication
      • Authentication Portal: External
        External URL: Contact support for your External URL
      • User Groups: SmartWiFi
      • Exempt Destinations/Services: SmartWiFi
      • Redirect after Captive Portal: Specific URL
        Specific URL: Contact support for your Specific URL
      • Click OK to save
    10. Use the navigation panel to the left to open Policy & Objects and click on Firewall Policy
    11. Click Create New and configure with the following settings
      • Name: SmartWiFi
      • Incoming Interface: Guest WiFi or whatever you named the SSID(SmartWiFi)
      • Outgoing Interface: Select your configured WAN
      • Source: SmartWiFi
      • Destination: all
      • Schedule: always
      • Service: ALL
      • Action: Accept
      • Enable this policy: Enabled
      • Click OK to save
    12. This complete the configuration through the user interface. The following steps must be completed using a command line.
      1. Use the menu panel on the top to open a new CLI Console window
      2. To configure RADIUS Accounting enter the following commands. Fill in the “x.x.x.x” and XXXXXX in the instructions below with the RADIUS Server IPs and Secret you used in step 3 of this guide.
        config user radius
        edit "SmartWiFi"
        config accounting-server
        edit 1
        set status enable
        set server "x.x.x.x"
        set secret XXXXXX
        next 
        edit 2
        set status enable
        set server "x.x.x.x"
        set secret XXXXXX
        next
        end
        end
        
      3. To enable RADIUS COA enter the following commands
        config user radius
        edit "SmartWiFi"
        set radius-coa enable
        set acct-all-servers enable
        next 
        end
        end

Troubleshooting Tips

  1. If devices are redirected but the page fails to load please ensure all of the walled garden entries have been configured and added to the address group assigned to the Exempt Destinations/Servers of the of the Guest WiFi SSID.
  2. If devices are redirected but presented a hotspot deactivated message please ensure that the MAC of all access points broadcasting the Guest WiFi SSID have been reported to support.

Disclaimer on hardware configuration guides in the KB:

This equipment has been integrated and tested in our labs with the Smart WiFi Platform using the firmware versions below.

Fortigate 200F firmware v7.0.6
AP firmware version PU421E-v6.2-build0267

LIMITED HARDWARE SUPPORT: Hardware manufacturers frequently make changes to firmware, controllers and GUI’s. The information below may be out of date or images may be different and is to be used as a general reference guide. We do offer additional limited support to help with trouble-shooting and we highly recommend that you have a hardware support agreement and/or access to a hardware support engineering representative from the manufacturer.

 

 

 

 

Updated on August 10, 2022

Was this article helpful?