Device & Controller Setup Guide - FortiGate with firmware version 5.4 Device
1. Setup the Fortigate Hostname
In the settings, under the tab Dashboard / System Information you need to change the hostname with the Fortigate MAC Address.
Note: If you are using the hardware switch as the hotspot interface, make sure to use the Fortigate MAC Address. If you are using physical interface, make sure that we use the physical MAC Address.
Add the RADIUS server
Under the tab User&Device / RADIUS Servers you need to create a record for primary RADIUS server with the following settings :
Then, you need to configure a FortiGate unit to send accounting interim updates to the Kiwire server to update the status of an active session. In the CLI console, run the following command: config user radiusedit [name] #name Kiwireconfig accounting-serveredit 1set status enableset server [IP] # IP of Kiwireset secret [secret] # shared secret keyendset acct-interim-interval [duration] #duration between each interim update (600 to 86400 seconds)end Here is the sample output:
You can also test a Fortigate user authentication to Kiwire server. Below is the RADIUS diagnostic command :Fortigate # diagnose test authserver radius radius-server pap user1 password1 Here is the sample output:
As the next step, you need to create a user in User&Device / User Definition with the following settings:
In User&Device / User Groups you need to create an authentication group:
3. Create the Hotspot Interface
Go to System > Network > Interface to create the interface with the following settings:
4. Create a “WALLED GARDEN”
To allow the user to get the content through the Kiwire Page to connect you need to allow specific IP addresses. To do so, go to Policy & Objects / Addresses. You can create required records based on the table below. You can merge them under one title to make it more clean to understand and allow better management. Specific records for Google, Facebook and Twitter should be created only when you use social networks for authentication.
Also, adding the synchroweb socialgate
Go to Policy & Objects > Objects > Addresses and create an address for the captive portal.
Go to Policy & Objects > Policy >IPv4. Create a security policy for unauthenticated users that allows access only to the captive portal and other wallgarden addresses.
In the CLI, enable bypass of the captive portal so that the user can make the initial contact with the external server.
5. Create the Internet access security policy
The first rule for allowing the access to selected sources for not-authenticated users.
The second rule for access to the DNS service to the master subnet.
To redirect user after login to a specific URL, edit the system interface and set the security-redirect-url
Kiwire
1. Login to Kiwire Captive Portal; http://Kiwire_IP_Address/admin 2. Go to Device > NAS and add NAS for FortiAP
3. Go to Device > Zone and create a zone for the FortiWiFi. We can assign the zone based on NAS ID, VLAN, IP address, or SSID.
4. After that, edit the zone and click Add and add the Fortigate MAC address in the NAS ID field.