Setting up an authentication captive portal using client certificate 7.2.8

This example demonstrates the configuration of a captive portal that requires users to authenticate using a client certificate. In the example, the FortiProxy uses the Certificate Authority (CA) certificate and the client uses a client certificate signed by same CA. The client can also use a server certificate signed by the same CA.

To configure an authentication captive portal using client certificate:

1. Import the CA Certificate to FortiProxy:

   1. Log in to your FortiProxy and go to System > Certificates.

   2. Click Import > CA Certificate.

   3. Upload the CA certificate and click OK.

   4. Verify that the CA certificate appear in the CA Certificate section.

2. Enable explicit proxy to test the Captive Portal:

   config web-proxy explicit
     set status enable
     set http-incoming-port 8080
   end
   

3. Enable explicit proxy on an interface.

   config system interface
       edit "port1"
           set proxy-captive-portal enable
   	 set explicit-web-proxy enable
       next
   end

4. Enable certificate captive portal and configure the captive portal to use an IP address and CA certificate for authentication:

   config authentication setting
       set captive-portal-type ip
       set captive-portal-ip 10.59.36.202
       set cert-auth enable
       set cert-captive-portal-ip 10.59.36.202
       set user-cert-ca "CA_Cert_1"
   end

   You can also configure the captive portal to use a domain (FQDN) instead of an IP address for authentication:

   config authentication setting
     set cert-auth enable
     unset cert-captive-portal-ip
     set cert-captive-portal {FQDN address}
     set user-cert-ca "CA_Cert_1"
   end
   

5. Connect to an LDAP server and create a user group:

   config user ldap
     edit "ldap60"
        set server "10.59.36.60"
       set cnid "cn"
       set dn "cn=users,dc=devqa,dc=lab"
       set type regular
       set username "LDAPAdmin"
       set password 123456
       set obtain-user-info enable
     next
   end
   config user group
     edit "grp60"
       set member "ldap60"
         config match
           edit 1
             set server-name "ldap60"
             set group-name "CN=Domain Users,CN=Users,DC=devqa,DC=lab"
           next
         end
       next
   end
   

6. Configure an authentication scheme that uses certificate authentication:

   config authentication scheme
       edit "cert_scheme"
           set method cert
           set user-database "ldap60"
       next
   end

7. Configure an authentication rule that uses the authentication scheme:

   config authentication rule
       edit "formx"
           set srcaddr "all"
           set ip-based disable
           set active-auth-method "cert_scheme"
           set web-auth-cookie enable <<< necessary for session-based
       next
   end

8. Configure a firewall policy:

   config firewall policy
       edit 2
           set proxy explicit-web
           set dstintf "port1"
           set srcaddr "all"
           set dstaddr "all"
           set service "webproxy"
           set action accept
           set schedule "always"
           set groups "grp60"
           set utm-status enable
           set ssl-ssh-profile "deep-inspection"
           set av-profile "default"
       next
   end