FortiGate / FortiWiFi

Compatibility

Social WiFi has been tested and is proven to work on the following configurations:

FortiWiFi – wireless interfaces

  • FortiOS version 5.6.0 and above (tested up to 7.0.1)

FortiGate hardware or virtual machine – wired interfaces

  • recommended: FortiOS version 6.2.4 and above (tested up to 7.0.1)

  • FortiOS version 5.6.0 and above work if the captive portal is enabled on a physical interface, VLAN interfaces are not supported below FortiOS 6.2.4

Access the device’s configuration panel

This guide assumes using the web based UI of the controller, which you can access by entering the IP address of the device in your browser. The screenshots are based on firmware v5.6.2.

Alternatively, if your device is managed from FortiCloud, you can access the management UI from there.

RADIUS configuration

Go to User & DeviceRADIUS ServersCreate New and use the following settings:

NameSocial WiFi

Primary Server IP/Name

35.205.62.147

Primary Server Secret

Radius Secret is available in Access Points tab of the Social WiFi Panel

Secondary Server IP/Name

Leave empty

Secondary Server Secret

Leave empty

Authentication Method

Specify

Method

PAP

NAS IP

Leave empty

Press OK.

The login "pattern" for Test Connectivity is: test_RADIUS,

where RADIUS is the Radius Secret available in Access Points tab of the Social WiFi Panel.

For password use the same credential.

For example, if my Radius Secret is "myradiussecret", my login would be "test_myradiussecret".

Now you need to change the RADIUS port to 31812. Open the CLI Console (top right corner, between “help” and username).

Copy (ctrl+C) and paste (ctrl+V) or type the following commands:

config user radius
    edit "Social WiFi"
        set radius-port 31812
    next
end

Also, please add an Accounting server the same way (CLI Console):

config user radius
  edit "Social WiFi"
    config accounting-server
      edit 1
        set status enable
        set server 35.205.62.147
        set secret [RADIUS secret from the panel]
        set port 31813
      next
    next
   end 

Setting the auth-timeout

In the CLI console, enter the following commands:

config user setting
set auth-timeout-type idle-timeout
end
config user group
edit Social\ WiFi\ -\ Guest
set authtimeout 480
end

Where the "set authtimeout 480" is in minutes and you can adjust the value freely. This will make your users have to relogin after not being active in the network for 8 hours.

Then close the CLI console by clicking the “x” button in the top right corner.

Remote Group configuration

Go to User & Device → User Groups → Create New

and use the following settings:

NameSocial WiFi - Guest

Type

Firewall

Members

Leave empty

Under Remote Groups, click Add and then select Social WiFi from the Remote Server dropdown list. Click OK to save and then click OK again.

Walled Garden configuration

Now we need to add all the services that will be available without logging in. This list includes Social WiFi login page and third-party social login services (like Facebook, Google). The following guide assumes firmware version 5.6.2, which doesn’t support domains with wildcard (e.g. “*.facebook.com”). Using wildcards was added in firmware 6.2.2, so if you have that version or higher, you may adjust the following steps accordingly.

The suggested way to add all required entries, is to use the CLI again to copy (ctrl+C) and paste (ctrl+V) the following scripts. Please note, that the script is split into two parts, because there’s a length limit that cannot be exceeded.

Note: A regional Google domain according to your geographic location has to be added to make Google login work. Please edit the “Social WiFi – Google 1 – regional” value below accordingly, e.g. if you’re based in UK, add “accounts.google.co.uk”.

Part 1:

# Social WiFi main service
config firewall address
    edit "Social WiFi - main 1"
        set type fqdn
        set fqdn "login.socialwifi.com"
    next
    edit "Social WiFi - main 2"
        set type fqdn
        set fqdn "sw-login.com"
    next
end
config firewall addrgrp
    edit "Social WiFI - main"
        set member "Social WiFi - main 1" "Social WiFi - main 2"
    next
end

# Facebook remarketing pixel
config firewall address
    edit "Social WiFi - Facebook pixel 1"
        set type fqdn
        set fqdn "connect.facebook.net"
    next
    edit "Social WiFi - Facebook pixel 2"
        set type fqdn
        set fqdn "www.facebook.com"
    next
end
config firewall addrgrp
    edit "Social WiFI - Facebook pixel"
        set member "Social WiFi - Facebook pixel 1" "Social WiFi - Facebook pixel 2"
    next
end

# Google remarketing tag
config firewall address
    edit "Social WiFi - Google tag 1"
        set type fqdn
        set fqdn "www.googletagmanager.com"
    next
    edit "Social WiFi - Google tag 2"
        set type fqdn
        set fqdn "www.googleadservices.com"
    next
    edit "Social WiFi - Google tag 3"
        set type fqdn
        set fqdn "googleads.g.doubleclick.net"
    next
end
config firewall addrgrp
    edit "Social WiFI - Google tag"
        set member "Social WiFi - Google tag 1" "Social WiFi - Google tag 2" "Social WiFi - Google tag 3"
    next
end

# Google login
config firewall address
    edit "Social WiFi - Google 1 - regional"
        set type fqdn
        set fqdn "accounts.google.co.uk"
    next
    edit "Social WiFi - Google 2"
        set type fqdn
        set fqdn "accounts.google.com"
    next
    edit "Social WiFi - Google 3"
        set type fqdn
        set fqdn "ssl.gstatic.com"
    next
    edit "Social WiFi - Google 4"
        set type fqdn
        set fqdn "fonts.gstatic.com"
    next
    edit "Social WiFi - Google 5"
        set type fqdn
        set fqdn "accounts.youtube.com"
    next
    edit "Social WiFi - Google 6"
        set type fqdn
        set fqdn "content.googleapis.com"
    next
    edit "Social WiFi - Google 7"
        set type fqdn
        set fqdn "apis.google.com"
    next
end
config firewall addrgrp
    edit "Social WiFi - Google"
        set member "Social WiFi - Google 1 - regional" "Social WiFi - Google 2" "Social WiFi - Google 3" "Social WiFi - Google 4" "Social WiFi - Google 5" "Social WiFi - Google 6" "Social WiFi - Google 7"
    next
end

# Facebook login
config firewall address
    edit "Social WiFi - Facebook 1"
        set type fqdn
        set fqdn "www.facebook.com"
    next
    edit "Social WiFi - Facebook 2"
        set type fqdn
        set fqdn "facebook.com"
    next
    edit "Social WiFi - Facebook 3"
        set type fqdn
        set fqdn "static.xx.fbcdn.net"
    next
    edit "Social WiFi - Facebook 4"
        set type fqdn
        set fqdn "external-frt3-2.xx.fbcdn.net"
    next
end
config firewall addrgrp
    edit "Social WiFi - Facebook"
        set member "Social WiFi - Facebook 1" "Social WiFi - Facebook 2" "Social WiFi - Facebook 3" "Social WiFi - Facebook 4"
    next
end

Part 2:

# Twitter login
config firewall address
    edit "Social WiFi - Twitter 1"
        set type fqdn
        set fqdn "twitter.com"
    next
    edit "Social WiFi - Twitter 2"
        set type fqdn
        set fqdn "api.twitter.com"
    next
    edit "Social WiFi - Twitter 3"
        set type fqdn
        set fqdn "pbs.twimg.com"
    next
    edit "Social WiFi - Twitter 4"
        set type fqdn
        set fqdn "abs-0.twimg.com"
    next
    edit "Social WiFi - Twitter 5"
        set type fqdn
        set fqdn "abs.twimg.com"
    next
end
config firewall addrgrp
    edit "Social WiFi - Twitter"
        set member "Social WiFi - Twitter 1" "Social WiFi - Twitter 2" "Social WiFi - Twitter 3" "Social WiFi - Twitter 4" "Social WiFi - Twitter 5"
    next
end

# LinkedIn login
config firewall address
    edit "Social WiFi - LinkedIn 1"
        set type fqdn
        set fqdn "www.linkedin.com"
    next
    edit "Social WiFi - LinkedIn 2"
        set type fqdn
        set fqdn "static-exp1.licdn.com"
    next
    edit "Social WiFi - LinkedIn 3"
        set type fqdn
        set fqdn "media-exp1.licdn.com"
    next
    edit "Social WiFi - LinkedIn 4"
        set type fqdn
        set fqdn "static.licdn.com"
    next
end
config firewall addrgrp
    edit "Social WiFi - LinkedIn"
        set member "Social WiFi - LinkedIn 1" "Social WiFi - LinkedIn 2" "Social WiFi - LinkedIn 3" "Social WiFi - LinkedIn 4"
    next
end

# Group everything in one group
config firewall addrgrp
    edit "Social WiFi"
        set member "Social WiFI - main" "Social WiFI - Facebook pixel" "Social WiFI - Google tag" "Social WiFi - Google" "Social WiFi - Facebook" "Social WiFi - Twitter" "Social WiFi - LinkedIn"
    next
end

WiFi configuration (wireless interface)

Go to WiFi & Switch Controller → SSID and set the "Broadcast SSID" toggle off.

Press OK and Create New SSID.

If you already have an existing WiFi network, edit it accordingly instead (you can skip to the “WiFi Settings” part).

Interface configuration:

Interface NameSocial WiFi

Alias

sw interface

Type

WiFi SSID

Traffic Mode

Tunnel

IP/Network Mask

10.8.0.1/255.255.0.0

DHCP Server

Enabled

Address Range

Should be prefilled, if not, use 10.8.0.2 – 10.8.255.254

Netmask

Should be prefilled, if not, use 255.255.0.0

WiFi Settings:

SSIDSocial WiFi (or any name that you prefer)

Security Mode

Captive Portal

Portal Type

Authentication

Authentication Portal

External: http://login.socialwifi.com/

User Groups

Social WiFi – Guest

Exempt Sources

Leave empty

Exempt Destinations/Services

Social WiFi (in ADDRESS GROUP tab, scroll down if it's hidden)

Redirect after Captive Portal

Original request

Press OK.

Interface configuration (wired interface)

You can also run Social WiFi on a wired, physical interface and plug access points there. In this scenario those access points don’t have to be managed by the FortiGate unit.

Go to Network → Interfaces and double-click on the interface that you want to install Social WiFi on and configure as follows:

Interface Name*any lan interface you want Social WiFi on

Alias

socialwifi-lan*

Role

LAN

Addressing mode

Manual

IP/Network Mask

10.8.0.1/255.255.0.0

IPv4

Leave unchecked

DHCP Server

Enabled

Address range

Should be autofilled, if not - copy from the image below

Security Mode

Captive Portal

Authentication Portal

External: http://login.socialwifi.com/

User Access

Restricted to Groups

User Groups

Social WiFi – Guest

Customize Portal Messages

Unchecked

Exempt Sources

Leave empty

Exempt Destinations/Services

Social WiFi

Press OK.

Firewall configuration

You need to allow for traffic from guests using the WiFi, because the default policy is to deny all traffic.

Go to Policy & Objects → IPv4 Policy → Create New and use the following settings:

NameSocial WiFi Allow Guests

Incoming Interface

Social WiFi (the interface created or edited in the previous point)

Outgoing Interface

wan1 (your WAN interface)

Source

all

Destination

all

Service

ALL

Action

ACCEPT

Press OK.

Add the device to Social WiFi Panel

The setup of the controller is now finished. The last step is to add the MAC address(es) to the Social WiFi platform. Usually the MAC address will be printed on a label on the device itself. It should be visible in the GUI as well on the edit interface screen. If you don’t know the MAC address, please contact Social WiFi Support.

Now, switch to Social WiFi Panel, go to Access Points tab, click the Add button and paste the MAC address(es). Click Create.

Test the solution

Connect with the WiFi network. You should see a login page. Go through the login process and, once finished, you should have internet access. You should see first connections and authorisations in the Social WiFi Panel’s statistics section.

Troubleshooting

If you have any external firewall behind the FortiGate device, please make sure that you enable these ports:

  • TCP/8080 (Captive Portal (http redirection))

  • TCP/8081 (Captive Portal (https redirection)

  • UDP/9177, 337008 (AP Communication (Capture Packets subsystem))

Last updated