1. Access the device’s configuration panel

This guide assumes using the web based UI of the controller, which you can access by entering the IP address of the device in your browser. The screenshots are based on firmware v5.6.2.

Alternatively, if your device is managed from FortiCloud, you can access the management UI from there.

2. RADIUS configuration

Go to User & DeviceRADIUS ServersCreate New and use the following settings:

Name Social WiFi
Primary Server IP/Name 35.205.62.147
Primary Server Secret Radius Secret is available in Access Points tab of the Social WiFi Panel
Authentication Method Specify
Method PAP

Click OK to save.

Now you need to change the RADIUS port to 31812. Open the CLI Console (top right corner, between “help” and your username).

Copy (ctrl+C) and paste (ctrl+V) or type the following commands:
config user radius
    edit "Social WiFi"
        set radius-port 31812
    next
end

Then close the CLI console by clicking the “x” button in the top right corner.

3. Remote Group configuration

Go to User & Device → User Groups → Create New and use the following settings:

Name Social WiFi – Guest
Type Firewall

Under Remote Groups, click Add and then select Social WiFi from the Remote Server dropdown list. Click OK to save and then click OK again.

4. Walled Garden configuration

Now we need to add all the services that will be available without logging in. This list includes Social WiFi login page and third-party social login services (like Facebook, Google). The following guide assumes firmware version 5.6.2, which doesn’t support domains with wildcard (e.g. “*.facebook.com”). Using wildcards was added in firmware 6.2.2, so if you have that version or higher, you may adjust the following steps accordingly.

The suggested way to add all required entries, is to use the CLI again and paste the following scripts. Please note, that you need to paste it in two parts, because there’s a length limit that cannot be exceeded.

If you use the script below, you don’t have to do anything else in this step, go straight to step 5.

Part 1:


# Social WiFi main service
config firewall address
edit "Social WiFi - main 1"
set type fqdn
set fqdn "login.socialwifi.com"
next
edit "Social WiFi - main 2"
set type fqdn
set fqdn "sw-login.com"
next
end
config firewall addrgrp
edit "Social WiFI - main"
set member "Social WiFi - main 1" "Social WiFi - main 2"
next
end
 
# Facebook remarketing pixel
config firewall address
edit "Social WiFi - Facebook pixel 1"
set type fqdn
set fqdn "connect.facebook.net"
next
edit "Social WiFi - Facebook pixel 2"
set type fqdn
set fqdn "www.facebook.com"
next
end
config firewall addrgrp
edit "Social WiFI - Facebook pixel"
set member "Social WiFi - Facebook pixel 1" "Social WiFi - Facebook pixel 2"
next
end
 
# Google remarketing tag
config firewall address
edit "Social WiFi - Google tag 1"
set type fqdn
set fqdn "www.googletagmanager.com"
next
edit "Social WiFi - Google tag 2"
set type fqdn
set fqdn "www.googleadservices.com"
next
edit "Social WiFi - Google tag 3"
set type fqdn
set fqdn "googleads.g.doubleclick.net"
next
end
config firewall addrgrp
edit "Social WiFI - Google tag"
set member "Social WiFi - Google tag 1" "Social WiFi - Google tag 2" "Social WiFi - Google tag 3"
next
end
 
# Google login
config firewall address
edit "Social WiFi - Google 1 - regional"
set type fqdn
set fqdn "accounts.google.co.uk"
next
edit "Social WiFi - Google 2"
set type fqdn
set fqdn "accounts.google.com"
next
edit "Social WiFi - Google 3"
set type fqdn
set fqdn "ssl.gstatic.com"
next
edit "Social WiFi - Google 4"
set type fqdn
set fqdn "fonts.gstatic.com"
next
edit "Social WiFi - Google 5"
set type fqdn
set fqdn "accounts.youtube.com"
next
edit "Social WiFi - Google 6"
set type fqdn
set fqdn "content.googleapis.com"
next
edit "Social WiFi - Google 7"
set type fqdn
set fqdn "apis.google.com"
next
end
config firewall addrgrp
edit "Social WiFi - Google"
set member "Social WiFi - Google 1 - regional" "Social WiFi - Google 2" "Social WiFi - Google 3" "Social WiFi - Google 4" "Social WiFi - Google 5" "Social WiFi - Google 6" "Social WiFi - Google 7"
next
end
 
# Facebook login
config firewall address
edit "Social WiFi - Facebook 1"
set type fqdn
set fqdn "www.facebook.com"
next
edit "Social WiFi - Facebook 2"
set type fqdn
set fqdn "facebook.com"
next
edit "Social WiFi - Facebook 3"
set type fqdn
set fqdn "static.xx.fbcdn.net"
next
edit "Social WiFi - Facebook 4"
set type fqdn
set fqdn "external-frt3-2.xx.fbcdn.net"
next
end
config firewall addrgrp
edit "Social WiFi - Facebook"
set member "Social WiFi - Facebook 1" "Social WiFi - Facebook 2" "Social WiFi - Facebook 3" "Social WiFi - Facebook 4"
next
end

Part 2:


# Twitter login
config firewall address
edit "Social WiFi - Twitter 1"
set type fqdn
set fqdn "twitter.com"
next
edit "Social WiFi - Twitter 2"
set type fqdn
set fqdn "api.twitter.com"
next
edit "Social WiFi - Twitter 3"
set type fqdn
set fqdn "pbs.twimg.com"
next
edit "Social WiFi - Twitter 4"
set type fqdn
set fqdn "abs-0.twimg.com"
next
edit "Social WiFi - Twitter 5"
set type fqdn
set fqdn "abs.twimg.com"
next
end
config firewall addrgrp
edit "Social WiFi - Twitter"
set member "Social WiFi - Twitter 1" "Social WiFi - Twitter 2" "Social WiFi - Twitter 3" "Social WiFi - Twitter 4" "Social WiFi - Twitter 5"
next
end
 
# LinkedIn login
config firewall address
edit "Social WiFi - LinkedIn 1"
set type fqdn
set fqdn "www.linkedin.com"
next
edit "Social WiFi - LinkedIn 2"
set type fqdn
set fqdn "static-exp1.licdn.com"
next
edit "Social WiFi - LinkedIn 3"
set type fqdn
set fqdn "media-exp1.licdn.com"
next
edit "Social WiFi - LinkedIn 4"
set type fqdn
set fqdn "static.licdn.com"
next
end
config firewall addrgrp
edit "Social WiFi - LinkedIn"
set member "Social WiFi - LinkedIn 1" "Social WiFi - LinkedIn 2" "Social WiFi - LinkedIn 3" "Social WiFi - LinkedIn 4"
next
end
 
# Group everything in one group
config firewall addrgrp
edit "Social WiFi"
set member "Social WiFI - main" "Social WiFI - Facebook pixel" "Social WiFI - Google tag" "Social WiFi - Google" "Social WiFi - Facebook" "Social WiFi - Twitter" "Social WiFi - LinkedIn"
next
end

 

An alternative approach would be to add the entries manually, using the following template:

Go to Policy & Objects → Addresses → Create New → Address

Template:

Name Rule name, e.g. “Social WiFi – Facebook 1”
Type FQDN
FQDN Domain name, eg. “facebook.com”

Add the following entries for each login platform you want to use:

SocialWiFi (mandatory)
  • login.socialwifi.com
  • sw-login.com
Facebook
  • facebook.com
  • www.facebook.com
  • m.facebook.com
  • scontent-lhr3-1.xx.fbcdn.net
  • fbstatic-a.akamaihd.net
  • connect.facebook.net
Twitter
  • twitter.com
  • www.twitter.com
  • api.twitter.com
  • abs.twimg.com
  • abs-0.twimg.com
LinkedIn
  • linkedin.com
  • www.linkedin.com
  • touch.linkedin.com
Google
  • accounts.google.com
    • You must also add your regional domain for accounts.google.com, for example accounts.google.co.uk if you are in the UK.
  • fonts.google.com
  • ssl.gstatic.com

Go to Policy & Objects → Addresses → Create New → Address Group

  • Category: IPv4 Group
  • Group Name: “Social WiFi”
  • Members: Click and add all domains added in the previous step

Click OK to save.

5. SSID configuration

WiFi & Controller → SSID → Create New → SSID
  • Interface Name: Social WiFi
  • Type: WiFi SSID
  • Traffic Mode: Tunnel
  • IP/Network Mask: 10.8.0.1/16
  • DHCP Server: On/Green
  • Address Range: Create New
  • Staring IP: 10.8.0.2 End IP: 10.8.255.254 (should be set automatically once you specify IP/Network Mask)
  • Netmask: 255.255.0.0
  • DNS Server: Specify, 8.8.8.8
  • SSID: [name of your guest network]
  • Security Mode: Captive Portal
  • Portal Type: Authentication
  • Authentication Portal: External, http://login.socialwifi.com/
  • User Groups: Social WiFi - Guest
  • Exempt Destinations/Services: Social WiFi
  • Redirect after Captive Portal: Original request
  • Broadcast SSID: On/Green
  • Block Intra-SSID Traffic: On/Green

6. Firewall configuration

You need to allow for traffic from guests using the WiFi, because the default policy is to deny all traffic.

Go to Policy & Objects → IPv4 Policy → Create New and use the following settings:

Name Social WiFi Allow Guests
Incoming Interface Social WiFi (the interface created in the previous point)
Outgoing Interface wan1 (your WAN interface)
Source all
Destination all
Service ALL

Click OK to save.

7. Add the device to Social WiFi Panel

  • Access your account in the Social WiFi Panel.
  • Choose the correct venue to which you would like to add the device.
  • In the “Access Points” tab, press “Add” (upper right corner), paste the MAC address you copied into the form (adding a name is optional) and click “Create”.

8. Test the solution

Tags

Comments are closed