Captive portal WiFi access with a FortiToken-200

In this recipe, you will enforce two-factor authentication for WiFi users who have physical FortiToken-200s through a captive portal. FortiToken-200 users who attempt to browse the Internet will be redirected to the captive portal login page and asked to enter their username, password, and token code.

This recipe assumes that you already have a FortiAP unit connected and authorized to the FortiGate, and that the SSID has been set up and configured to use Captive Portal. For a recipe on how to set up a wireless network through a captive portal, see Captive portal WiFi access control.

This recipe is designed for a FortiToken-200 physical key generator. See step 3 for information about using FortiToken Mobile.

1. Adding the FortiToken
Go to User & Device > FortiTokens and create a new FortiToken. Set Type to Hard Token and enter the FortiToken’s Serial Number into the field provided.
2. Editing the user and assigning the FortiToken
Go to User & Device > User Definition and edit the user (rgreen). Select Enable Two-factor Authentication and select the token created earlier. Select Add this user to groups and add the user to the captive portal user group (employees).
This recipe is designed for a FortiToken-200 physical key generator. If the user has FortiToken Mobile, the user’s contact information must be included so that the FortiToken code can be set to the user via Email or SMS.
3. Results
When a user attempts to browse the Internet, they will be redirected to the captive portal login screen.
Members of the FortiToken group must enter their Username and Password, but will then be redirected to a screen requiring the user to enter their Token Code. Once the code is successfully entered, the user will be redirected to the URL originally requested.
On the FortiGate, go to Monitor > WiFi Client Monitor to verify that the user is authenticated.