Hotspot without authentication ?

  • 2
  • Question
  • Updated 2 months ago
Hello, I have a third party Onboarding server - FortiConnect.
This server presents a login web GUI, where after authentication the user is directed to another  page where they can download an onboarding app.
What I want Zonedirector to do is as follows:

- user connects to Zonedirector SSID. 
- FIRST REDIRECT: Zonedirector redirects user to Forticonnect (have done this successfully with a Hotspot service)
- user authenticates on the ForitiConnect website
- SECOND REDIRECT: user is redirected by FortiConnect to another FortiConnect Onboarding download website (this is where it fails for me. I think Zonedirector is expecting authentication details and will not allow another redirect until it receives them ?)

So, how can create a Zonedirector Hotspot service which redirects to FortiConnect and then allows further redirects. I do not want Zonedirector to authenticate at all. 
The only reason I want the Hotspot feature is to allow auto redirect to FortiConnect. Forticonnect will then handle authentication and redirects etc. completely separate from ZoneDirector.
Photo of philip francis

philip francis

  • 30 Posts
  • 0 Reply Likes

Posted 3 months ago

  • 2
Photo of Said Sanoussi

Said Sanoussi

  • 25 Posts
  • 8 Reply Likes
Any URL you want the users to be able to access before beining fully auithenticated need to be added to a walled garden. So try putting the url's you want to redirect to in the walled garden and test this. The walled garden is provisioned on the ZD
Photo of philip francis

philip francis

  • 30 Posts
  • 0 Reply Likes
Thank you. I have added walled garden entries but access to the second URL still fails.
My walled garden entries now include:
1. mwaklconnect1.domain.forest
2.  10.21.250.153/32 (which is the IP of mwaklconnect1.domain.forest) 

So, the initial redirect which works points to:
1. 
https://mwaklconnect1.domain.forest/portal/MW_Onboarding_portal/10.99.0.10

Then I also need a client to be able to access:
2. https://mwaklconnect1.domain.forest/portal/MW_Onboarding_portal/preview/success

Zonedirector seems to be preventing this second URL from loading and instead just directs users back to the original URL in step 1.
Can anyone suggest how to allow the second URL to load ?


Photo of Robert Lowe

Robert Lowe

  • 206 Posts
  • 47 Reply Likes
The only way I can think with hotspot is to set a redirect on the hotspot for post successful login. But the only way this will work is if the forticlient server can send a RADIUS accept to the ZD because this is what the ZD is expecting in a hotspot authentication.
Photo of philip francis

philip francis

  • 30 Posts
  • 0 Reply Likes
Thank you, but what about walled garden? I thought the whole purpose of walled garden was to allow access to multiple whitelisted URLs without the need for Zonedirector to receive any RADIUS accept messages ?
Photo of Robert Lowe

Robert Lowe

  • 206 Posts
  • 47 Reply Likes
That is correct but there are 2 issues here for your use case:
1. The ZD will not do any auto redirect to walled garden addresses. It will only redirect to the authentication URL and the post authentication URL (if configured). So you will need some other way of doing the second redirect.
2. Unless the client moves to another SSID after Forticonnect authentication it will always be seen by the ZD as being in an 'unauthenticated' state (because it hasn't received RADIUS accept) so will always be blocked from internet access other than walled garden addresses.
Photo of philip francis

philip francis

  • 30 Posts
  • 0 Reply Likes
Thank you, but I am not expecting the Zonedirector to do a second redirect itself. The second redirect is initiated from my third party server. I just need Zonedirector to allow access to that site.
Photo of Robert Lowe

Robert Lowe

  • 206 Posts
  • 47 Reply Likes
Ok have you tried adding as an IP instead of URL? 

What version of firmware are you using?