This walkthrough explains how to set up IPERA Starling integration on a FortiGate (using either a physical or VLAN interface). This applies if you are running Wi-Fi access points from a third-party vendor or if you want to extend the captive portal feature to wired clients.
⚠️ For a seamless login experience, make sure to upload a valid and trusted SSL certificate to your FortiGate controller.
Step 1 – Configure IPERA RADIUS Servers
- Log in to the FortiGate admin portal.
- Navigate to User & Device → RADIUS Servers → Create New and enter the following:
-
Name:
ipera_radius_srv - Authentication Method: Default
-
Primary IP/Name:
ip address of the radius server 01 -
Secondary IP:
ip address of the radius server 02 - Shared Secret: Provided by IPERA Support Team
- Save your settings.
-
Name:
RADIUS accounting configuration can be done via FortiGate CLI Level. Use the following commands
| Code for RADIUS Configuration |
|
config user radius edit <NAME> set server <RADIUS_SERVER_IP_ADDRESS> set secret ENC <SHARED_SECRET> set acct-interim-intervel 180 set radius-port 1812 set acct-all-servers enable config accounting-server edit <ID> set status enable set server <RADIUS_SERVER_IP_ADDRESS> set secret ENC <SHARED_SECRET> set port 1813 next end next end |
3. Go to User & Device → User Groups → Create New:
-
Name:
ipera_radius_group - Type: Firewall
-
Remote Groups: Add
ipera_radius_srv - Save the configuration.
Step 2 – Activate Captive Portal on the Interface
If you’re not using FortiAP devices, the captive portal can be applied directly on a FortiGate interface (physical or VLAN).
🔹 Because enabling captive portal forces authentication on all traffic through the interface, it’s best practice to dedicate a separate interface or VLAN for guest users.
- Go to Network → Interfaces and edit the Guest interface.
- In the Network settings section, enable Security Mode:
- Security Mode: Captive Portal
- Authentication Portal: External
- Enable Accounting and HTTPS
-
Portal URL:
ipera_captive_portal -
User Access: Restrict to group →
ipera_radius_group -
Exempt Destinations: Create an FQDN object for
*.iperawifi.com -
Redirect After Login:
ipera_captive_portal - Save the changes.
Step 3 – Set Up Security Policies
To allow unauthenticated devices to reach the captive portal, you must configure specific firewall policies.
- Navigate to Policy & Objects → IPv4 Policy.
- Create the necessary rules in the required order to ensure unauthenticated users can access the IPERA portal
Step 4 – To Avoid Web Browser Warning
Go to Authentication Settings > Disable Protocol Support HTTPS > Disable HTTP Redirect
Parameters for the Configuration
For AWS:
IPERA Radius IP Address (Primary): 35.156.39.198
IPERA Radius IP Address (Secondary): 35.156.23.166
Shared Secret: (IPERA will communicate it)
Authentication Port Number: 1812
Accounting Port Number: 1813
Portal URL: https://engage.iperawifi.com/onboarding
Redirect After Login: https://engage.iperawifi.com/onboarding?auth=success
For Azure:
IPERA Radius IP Address (Primary): 20.174.25.122
IPERA Radius IP Address (Secondary): 20.174.42.3
Shared Secret: (IPERA will communicate it)
Authentication Port Number: 1812
Accounting Port Number: 1813
Portal URL: https://me.iperawifi.com/onboarding
Redirect After Login: https://me.iperawifi.com/onboarding?auth=success
Comments
0 comments
Please sign in to leave a comment.