How to set up a BYOD Guest Portal with FortiAuthenticator, FortiGate and FortiAP – Part 3

In the first part of this series, the explanation of how to configure the FortiAuthenticator with a BYOD guest portal was covered. In the second part, an explanation of how to configure the FortiGate and FortiAP to interact with this portal was covered. In this next installment of the series, the use case around device tracking and avoiding subsequent authentication on the guest portal after the initial successful authentication will be covered.

Ease of Use and Management

If a user can log in with username and password, what is the need for device tracking? Ultimately, it comes down to providing a “better” user experience for the end user and removing obstacles to help them adopt what the administrator of the network has provided. Once a user logs in initially with a username and password, all subsequent accesses to the network will occur without prompting the user for authentication credentials.

However, this particular features comes at a cost. The device tracking is done by recording the MAC Address of the device at the time of authentication. Some will see this as a potential security issue since this can easily be spoofed by a nefarious user. In most cases the risk is mitigated by isolating these users to their own subnet and preventing communication between the devices while on that guest network.

Configure FortiAuthenticator for Device Tracking

Building upon the foundation that was set in the previous article, the FortiAuthenticator configuration can be amended to allow devices that successfully authenticate to the guest portal to register their mac address.

Configure MAC Device Group

In order to facilitate this, a local ground these devices will register to needs to be created. To set this up, follow the steps below:

1. Log into the FortiAuthenticator as an administrative user

2. Navigate to the “Authentication | User Management | User Groups” section ; Click “Create new”

3. Create a new user group called “guest_devices” as the “MAC” type | Click “OK”

Once the device MAC group has been created, the portal can be augmented to enable device tracking.

Configure Device Tracking in Portal

To configure the MAC device tracking, the existing portal can be updated with the settings enable the feature. To accomplish this, follow the steps below:

1. Click “Authentication | Portals | Portals” ; Edit the previously created portal

2. In the “Edit Portal” page, enable the “Device Tracking and Management” under the “Post-Login Services” ; Enable “Place registered devices into this group” ; Select the newly created group (i.e. “guest_devices” l Click “OK”

Once the device tracking has been enabled and the corresponding group has been selected, the FortiAuthenticator can be configured for MAC Authentication Bypass (MAB) to allow previously registered devices to login without entering credentials.

Configuring FortiAuthenticator for MAC Authentication Bypass (MAB)

The MAB feature allows the FortiAuthenticator to receive the MAC address of the connecting device and perform an authentication based on the MAC address instead of the username and password. To facilitate this, the FortiAuthenticator needs to have the device that will pass the MAC address via RAIDUS authentication.

Configuring the RADIUS Client for the FortiGate

In order to receive the request to validate the MAC address, the FortiAuthenticator needs to be configured to receive the RADIUS request from the FortiGate. The initial configuration requires a RADIUS Client to be configured to receive the RADIUS request. To configure this, follow the steps below:

1. Navigate to the “Authentication | RADIUS Service | Clients” ; Click “Create New”

2. In the “Create New Authentication Client” page, create the “fortigate_wireless_controller” object; Set the “client address” to the corresponding option and populate it with the identifying information for the request; Set the shared “secret” between the FortiAuthenticator and the FortiGate; Click “OK”

At the conclusion of this section, the RADIUS client is configured but needs to be tied to a policy in order to allow RADIUS requests to be answered by the FortiAuthenticator.

Configure the Authentication Policy

Once the RADIUS client has been configured, a policy needs to be created in order to reference this client so that these RADIUS requests can be serviced. To accomplish this, follow the steps below

1. Navigate to “Authentication | RADIUS Service | Policies”; Click “Create New”

2. In the “RADIUS clients” section, set the “policy name”; select the previously created “fortigate_wireless_controllers” for the “RADIUS Clients”; Click “Next”

3. Under the “RADIUS attribute criteria”, allow the defaults to remain; Click “Next”

4. Under the “Authentication type” page; Select “MAC Authentication bypass (MAB); Click “Next”

5. Under the “Identity Source’ page; Choose “guest_devices” for the “Authorized groups”; Click “Next”

6. Under the “RADIUS response”, change the “Unauthorized” section to “Access-Reject” Click “Save and exit”

Once this has been completed, the FortiAuthenticator is ready to service authentication requests from a wireless controller based on the MAC address of the device connecting to the wireless guest network. The last step is to configure the wireless controller for MAC Authentication Bypass. The next (and final) blog article will cover this in more detail.

As for now, please let me know if you have any feedback in the comments below and as always, I hope this helps.