FortiAuthenticator as Guest Portal for FortiWLC

On the FortiWLC, go to Configuration > Security > RADIUS and click the ADD botton and create two profiles. One to be used for Authentication and one to be used for Accounting.

RADIUS Profile name: Enter a name for the profile. TIP: Use a name that will indicate if the profile is used for Authentication or Accounting.
RADIUS IP: IP address of the FortiAuthenticator.
RADIUS Secret: Shared Secret between WLC and FortiAuthenticator.
RADIUS Port: use 1812 for Authentication profile and 1813 when creating an Accounting Profile.

On the FortiWLC, go to Configuration > Security > Captive Portal, select the Captive Portal Profiles tab, and ADD a new profile.

CP Name: Enter a name for the profile.
Authentication Type: RADIUS.
Primary Authentication: Your Authentication profile.
Primary Accounting: Your Accounting profile.
External Server: FortinetConnect.
External Portal URL: https://<fortiauthenticator-ip>/guests
Public IP of Controller: IP address of the FortiWLC.

On the FortiWLC, go to Configuration > Security > Profile, and ADD a new profile.

Profile Name: Enter a name for the profile.
Security mode: Open.
Captive Portal: Webauth.
Captive Portal Profile: Select the profile created earlier.
Captive Portal Authentication Method: external.
Passthrough Firewall Filter ID: Your choice, will be used to allow access to the portal before authentication using QoS rules.

On the FortiWLC, go to Configuration > Policies > QoS and select the QoS and Firewall Rules tab.
Use the ADD button to create two profiles.

For the first rule, allow the wireless client to access FortiAuthenticator’s guest portal.

ID: Rule number.
Destination IP: IP address of the FortiAuthenticator, and enable Match
Destination Netmask: 255.255.255.255
Destination Port: 443, and enable Match
Network Protocol: 6, and enable Match
Firewall Filter ID: Use the “Passthrough Firewall Filter ID” string from the Security Profile, and enable Match
QoS Protocol: Other.

For the second rule, allow FortiAuthenticator to reach the clients.

ID: Rule number.
Source IP: IP address of the FortiAuthenticator, and enable Match
Source Netmask: 255.255.255.255
Source Port: 443, and enable Match
Network Protocol: 6, and enable Match
Firewall Filter ID: Use the “Passthrough Firewall Filter ID” string from the Security Profile, and enable Match
QoS Protocol: Other.

On the FortiWLC, go to Configuration > Wireless > ESS and ADD an ESS profile.

Configure the profile with an appropriate ESS Profile and SSID. Then select the Security Profile that contains the Captive Portal settings.

Primary RADIUS Accounting Server: Your RADIUS Accounting profile.

On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create a new client.

Set Client address as IP/Hostname and enter the FortiWLC management IP as the IP address. Set the same Secret that was entered during the RADIUS configuration on the FortiWLC.
At the Profiles section set a new Profile name, and choose EAP types.
At the Realms section choose the Realms that are allowed.

On the FortiAuthenticator, go to Authentication > Guest Portals > Portals and create a new portal.

For the Profile Configuration select the RADIUS profile created earlier.

On the FortiAuthenticator, go to Authentication > Guest Portal > Rules and create a new rule.

For Action choose Go to portal, and select the portal created earlier.

You can choose different HTTP parameters to determine which portal to show (used for instances with multiple portals from different FortiWLC’s and or Client IP subnets)

Connect a client to the SSID created on the FortiWLC, then login to the portal with the correct username and password.

You can use Authentication > User Management > Local Users to create local user accounts for the FortiAuthenticator.

To confirm the successful login, on  FortiAuthenticator go to Logging > Log Access > Logs

Find the line showing User Portal at Sub Category

To confirm the successful login, on FortiWLC go to Monitor > Devices > All Stations and find the device showing the authenticated user.