Setting up an authentication captive portal using client certificate 7.2.8
This example demonstrates the configuration of a captive portal that requires users to authenticate using a client certificate. In the example, the FortiProxy uses the Certificate Authority (CA) certificate and the client uses a client certificate signed by same CA. The client can also use a server certificate signed by the same CA.
To configure an authentication captive portal using client certificate:
-
Import the CA Certificate to FortiProxy:
-
Log in to your FortiProxy and go to System > Certificates.
-
Click Import > CA Certificate.
-
Upload the CA certificate and click OK.
-
Verify that the CA certificate appear in the CA Certificate section.
-
-
Enable explicit proxy to test the Captive Portal:
config web-proxy explicit set status enable set http-incoming-port 8080 end
-
Enable explicit proxy on an interface.
config system interface edit "port1" set proxy-captive-portal enable set explicit-web-proxy enable next end
-
Enable certificate captive portal and configure the captive portal to use an IP address and CA certificate for authentication:
config authentication setting set captive-portal-type ip set captive-portal-ip 10.59.36.202 set cert-auth enable set cert-captive-portal-ip 10.59.36.202 set user-cert-ca "CA_Cert_1" end
You can also configure the captive portal to use a domain (FQDN) instead of an IP address for authentication:
config authentication setting set cert-auth enable unset cert-captive-portal-ip set cert-captive-portal {FQDN address} set user-cert-ca "CA_Cert_1" end
-
Connect to an LDAP server and create a user group:
config user ldap edit "ldap60" set server "10.59.36.60" set cnid "cn" set dn "cn=users,dc=devqa,dc=lab" set type regular set username "LDAPAdmin" set password 123456 set obtain-user-info enable next end config user group edit "grp60" set member "ldap60" config match edit 1 set server-name "ldap60" set group-name "CN=Domain Users,CN=Users,DC=devqa,DC=lab" next end next end
-
Configure an authentication scheme that uses certificate authentication:
config authentication scheme edit "cert_scheme" set method cert set user-database "ldap60" next end
-
Configure an authentication rule that uses the authentication scheme:
config authentication rule edit "formx" set srcaddr "all" set ip-based disable set active-auth-method "cert_scheme" set web-auth-cookie enable <<< necessary for session-based next end
-
Configure a firewall policy:
config firewall policy edit 2 set proxy explicit-web set dstintf "port1" set srcaddr "all" set dstaddr "all" set service "webproxy" set action accept set schedule "always" set groups "grp60" set utm-status enable set ssl-ssh-profile "deep-inspection" set av-profile "default" next end