Skip to main content

Thu, Sep 27, 2018 6:55 AM

Hotspot without authentication ?

Hello, I have a third party Onboarding server - FortiConnect.
This server presents a login web GUI, where after authentication the user is directed to another  page where they can download an onboarding app.
What I want Zonedirector to do is as follows:

- user connects to Zonedirector SSID. 
- FIRST REDIRECT: Zonedirector redirects user to Forticonnect (have done this successfully with a Hotspot service)
- user authenticates on the ForitiConnect website
- SECOND REDIRECT: user is redirected by FortiConnect to another FortiConnect Onboarding download website (this is where it fails for me. I think Zonedirector is expecting authentication details and will not allow another redirect until it receives them ?)

So, how can create a Zonedirector Hotspot service which redirects to FortiConnect and then allows further redirects. I do not want Zonedirector to authenticate at all. 
The only reason I want the Hotspot feature is to allow auto redirect to FortiConnect. Forticonnect will then handle authentication and redirects etc. completely separate from ZoneDirector.

Responses

31 Messages

 • 

610 Points

2 years ago

Any URL you want the users to be able to access before beining fully auithenticated need to be added to a walled garden. So try putting the url's you want to redirect to in the walled garden and test this. The walled garden is provisioned on the ZD

66 Messages

 • 

1.2K Points

2 years ago

Thank you. I have added walled garden entries but access to the second URL still fails.
My walled garden entries now include:
1. mwaklconnect1.domain.forest
2.  10.21.250.153/32 (which is the IP of mwaklconnect1.domain.forest) 

So, the initial redirect which works points to:
1. 
https://mwaklconnect1.domain.forest/portal/MW_Onboarding_portal/10.99.0.10

Then I also need a client to be able to access:
2. https://mwaklconnect1.domain.forest/portal/MW_Onboarding_portal/preview/success

Zonedirector seems to be preventing this second URL from loading and instead just directs users back to the original URL in step 1.
Can anyone suggest how to allow the second URL to load ?


222 Messages

 • 

3.6K Points

2 years ago

The only way I can think with hotspot is to set a redirect on the hotspot for post successful login. But the only way this will work is if the forticlient server can send a RADIUS accept to the ZD because this is what the ZD is expecting in a hotspot authentication.

66 Messages

 • 

1.2K Points

2 years ago

Thank you, but what about walled garden? I thought the whole purpose of walled garden was to allow access to multiple whitelisted URLs without the need for Zonedirector to receive any RADIUS accept messages ?

222 Messages

 • 

3.6K Points

2 years ago

That is correct but there are 2 issues here for your use case:
1. The ZD will not do any auto redirect to walled garden addresses. It will only redirect to the authentication URL and the post authentication URL (if configured). So you will need some other way of doing the second redirect.
2. Unless the client moves to another SSID after Forticonnect authentication it will always be seen by the ZD as being in an 'unauthenticated' state (because it hasn't received RADIUS accept) so will always be blocked from internet access other than walled garden addresses.

66 Messages

 • 

1.2K Points

2 years ago

Thank you, but I am not expecting the Zonedirector to do a second redirect itself. The second redirect is initiated from my third party server. I just need Zonedirector to allow access to that site.

222 Messages

 • 

3.6K Points

2 years ago

Ok have you tried adding as an IP instead of URL? 

What version of firmware are you using?