FortiConnect Guest on-boarding and using RSSO

Login to the admin page of your FortiConnect.

Go to Devices > RADIUS clients and add your WLC as a RADIUS client.

Name: Name of your WLC
Device IP: IP address of your WLC.
Secret: Choose a Shared Secret between FortiConnect and WLC)
Type: Meru SD 8.0 & Later

Go to the Automatic Setup tab and fill in the information needed for the FortiConnect to perform WLC configuration.

Device IP: IP address of your WLC
Admin user: admin username at WLC
Admin password: password of the WLC admin user
Captive Portal Name: Name that will be used to create/name the Captive Portal Profile at WLC.

This will create a RADIUS profile, a captive portal profile, and a Quality of Service (QoS) rule to allow access to the guest portal on the WLC.

The QoS rule is similar to a firewall rule, to allow the wireless device to be redirected to FortiConnect Captive Portal before the user or device is authenticated.

Click Setup Controller and FortiConnect will establish a SSH connection to the WLC.

It might take a minute or two for the actual configuration to finish.

When done you should see a message similar to this one.

Go to Devices > RADIUS Accounting Servers
and add your WLC as a radius client.

Name: Name your FortiGate
Server IP: IP address of your FortiGate (matching the interface that will listen to the RADIUS Accounting messages)
Secret: Chosse a Shared Secret between FortiConnect and Fortigate)
Accounting port: 1813

Login to WLC with admin credentials.

Go to Configuration > Security > RADIUS and validate that FortiConnect has created the two RADIUS profiles.

Validate that the automatic setup process on FortiConnect has created the two RADIUS profiles.

IDAUxxx = Authentication profile
IDACxxx = Accounting profile

Go to Configuration > Security > Captive Portal and select the Captive Portal Profiles tab.

Validate that the Captive Portal profile is created.

If needed, hit the pencil icon the edit the profile.

Go to Configuration > Security > Profile and click the ADD bottom for creating a new Security Profile.

Fill in information:

Security Profile name: Name of your security profile
Security mode: Open
Captive Portal: WebAuth
Captive Portal profile: select the profile name that’s been created earlier
Captive Portal Authentication method: external (as we use FortiConnect Portal)
Pass-through Firewall Filter ID: Matching the name from the Automatic Setup used in FortiConnect earlier
Firewall Capabilities: radius-configured (allows the WLC to use RADIUS attributes)

Go to Configuration > Wireless > ESS and click the ADD bottom for creating a new ESS profile.

Fill in information:

ESS Profile: Name the ESS profile
SSID: Name the SSID, (if left empty SSID will be same as ESS profile name)
Security Profile: Use the newly created security profile
RADIUS Accounting: Use the FortiConnect accounting profile (IDACxxxx)

Click SAVE, then accept the message that this is only for Virtual Cell AP’s (that’s what we use as the default option in WLC). Accept the message.

Login to your Fortigate with admin credentials

Go to Network > Interfaces and edit the interface that is matching the IP address added as RADIUS Acounting Server at FortiConnect.

Enable RADIUS Accounting using the check-box.

Go to User & Device > Authentication > Single Sign-On and create a new agent.

Type: RADIUS Single Sign-On Agent
Enable both Use RADIUS Shared Secret and Send RADIUS Responses.

Go to User & Device > User > User Groups and create a new user group.

Type: RADIUS Single Sign-On (RSSO)
RADIUS Attribute Value: Will match the RADIUS attribute from FortiConnect, In this example we use “staff” to identify a staff user. (remember the value is case-sensitive)

Setting RADIUS Attribute at FortiConnect for the corresponding Authorization Profile.

Attribute value used is “Class”

FortiConnect maps the user into the Account Group during the backend authentication to Microsft Active Directory.

Go to CLI of your FortiGate and edit the RSSO Agent

fw # config user radius

Then edit the RSSO entry

fw (radius) # edit RSSO\ Agent
fw (RSSO Agent) # set rsso-endpoint-attribute User-Name
fw (RSSO Agent) # end