How To:

FortiGate Guest Network using

HPE Aruba ClearPass for
captive portal

Version Date Modified by Comments

Anders Lagerqvist
1.0 22.12.2023 Ulises Cazares First version using FortiOS 7.4.1 and ClearPass 6.11.6
1.1 05.01.2024 Anders Lagerqvist Clarified portal certificates for FortiGate
 FortiGate and ClearPass Guest integration

How to create a guest SSID on FortiGate with ClearPass captive portal

The goal of this document is to guide you through the steps required to implement a guest
network solution based on Fortinet FortiOS 7.4.1 using a tunneled SSID with HPE Aruba
ClearPass version 6.11.6. It is expected that this setup will remain relevant also for other
recent versions.

This document does not cover using a bridge mode SSID.

As this document does not to go into all details on how to configure a FortiGate or
ClearPass, it is expected that the reader already has basic knowledge of these products.

It is a prerequisite to have proper certificates signed by a public CA (Certificate Authority)

installed on both the FortiGate and on the ClearPass guest portal to avoid client warnings
when they connect to the guest network. The certificate may be a wildcard certificate or
unique to the two devices. Failing to use a public signed certificate may cause connection
warnings and failure to successfully connect to the guest network.

www.fortinet.com 2
 FortiGate and ClearPass Guest integration

Required configuration on the FortiGate:

First step is to create ClearPass as a RADIUS server for the MAC-caching part and create
the user-group that ClearPass should return after authentication is successful, in this
example it is “Guest-Users”.

www.fortinet.com 3
 FortiGate and ClearPass Guest integration

Next step is to create the SSID with the desired names and features. In this example the
FortiGate will also act as DHCP server for the guest users.

config wireless-controller vap

edit "FortinetGuest"
set ssid "FortinetGuest"
set security captive-portal
set external-web "fqdn-to-clearpass-guest-portal/guest/pagename.php"
set mac-auth-bypass enable <- This is to allow MAC caching
set selected-usergroups "Guest-Users"
set security-exempt-list "FortinetGuest-exempt-list" <- This should allow http/https, dns etc to resolve
the ClearPass server and any other exempt services being allowed before signing on to the guest network.
set auth-cert “name-of-your-ssl-cert”
set auth-portal-addr “fqdn-to-dns-name-of-fortigate-guest-ssid-ip”
set schedule "always"
next
end

www.fortinet.com 4
 FortiGate and ClearPass Guest integration

Another option to make sure that the FortiGate presents correct certificate with FQDN
when it presents the certificate is to add it on the more global configuration, but if you have
more SSID’s which would require different fqdn’s, it may be better to add this on the SSID
itself like above.

config user setting

set auth-cert “name-of-your-ssl-cert”
set auth-secure-http enable
end

config firewall auth-portal

set portal-addr “fqdn-to-dns-name-of-fortigate-guest-ssid-ip”
end

This is pretty much all on the FortiGate SSID configuration done, but you must also create
the firewall policy to allow the guest users to connect to the ClearPass servers, to the
Internet, and any other destinations after successful authentication on the ClearPass portal.

Required configuration on the ClearPass guest portal:

You need to create two services in ClearPass Policy Server, one for the MAC caching, and
one for the guest registration, in that order.

This is the MAC caching service:

www.fortinet.com 5
 FortiGate and ClearPass Guest integration

www.fortinet.com 6
 FortiGate and ClearPass Guest integration

The role mapping shown to allow the “MAC Caching” role, rest is same as regular guest role
mapping.

The enforcement policy to allow access without requiring Captive Portal if you already have a
valid guest account is shown here:

Note the “Guest-Users” being sent, need to match what you created on the FortiGate earlier.
Also sending the User-Name to see that on the FortiGate when looking at the users.

www.fortinet.com 7
 FortiGate and ClearPass Guest integration

The 2nd service to use the Captive Portal is shown here:

Note the NAS-IP-Address where the FortiGate is included in the group.

Standard guest role mapping rule:

www.fortinet.com 8
 FortiGate and ClearPass Guest integration

Standard guest enforcement, which sends over the “Guest-User” to FortiGate and updates the
account expiration time:

For the guest portal settings, you decide if you want sponsor based, send SMS etc like always,
and for the NAS vendor settings, you can just use the default Fortinet FortiGate:

www.fortinet.com 9
 FortiGate and ClearPass Guest integration

It is still possible to use the previously used “Custom” settings, but if so, must add the details in
the “Extra Fields” settings like this:

Note that the “Submit URL:” is the IP or FQDN of the FortiGate guest interface. It is highly
recommended to use https and port 1003 for the captive portal, but if you are using http, ensure
that the port number used is 1000.

www.fortinet.com 10