Configuring a captive portal
Configuring a captive portal
Captive portals are configured on network interfaces. On a physical (wired) network interface, you edit the interface configuration in System > Network > Interfaces and set Security Mode to Captive Portal. A WiFi interface does not exist until the WiFi SSID is created. You can configure a WiFi captive portal at the time that you create the SSID. Afterwards, the captive portal settings will also be available by editing the WiFi network interface in System > Network > Interfaces.
To configure a wired Captive Portal – web-based manager:
1. Go to System > Network > Interfaces and edit the interface to which the users connect.
2. In Security Mode select Captive Portal.
3. Enter
Authentication Portal Local – portal hosted on the FortiGate unit.
Remote – enter FQDN or IP address of external portal.
User Groups Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.
Use Groups from Policies is not available in WiFi captive portals.
Exempt List Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal
Messages
Enable, then select Edit. See Customizing captive portal pages on page 516.
4. Select OK.
To configure a WiFi Captive Portal – web-based manager:
1. Go to WiFi Controller > WiFi Network > SSID and create your SSID.
If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in System > Network > Interfaces.
2. In Security Mode, select Captive Portal.
3. Enter
Portal Type The portal can provide authentication and/or disclaimer, or perform user email address collection. See Introduction to Captive Portals on page 514.
Authentication Portal Local – portal hosted on the FortiGate unit.
Remote – enter FQDN or IP address of external portal.
User Groups Select permitted user groups.
Exempt List Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal Messages Click the link of the portal page that you want to modify. See “Captive portals” on page 516.
4. Select OK.
Exemption from the captive portal
A captive portal requires all users on the interface to authenticate. But some devices are not able to authenticate. You can create an exemption list of these devices. For example, a printer might need to access the Internet for firmware upgrades. Using the CLI, you can create an exemption list to exempt all printers from authentication.
config user security-exempt-list edit r_exempt
config rule edit 1
set devices printer end
end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
Hi
How do you set the certificate for the captive portal page? I have imported a SSL cert provide by a cert provider (QuoVadis) and set the global value :
config system global
set user-server-cert
end
But I still get a cert error message when accessing the authentication page saying that the common name on the cert does not match the URL which is the IP address. As I cant put an IP address on a cert any ideas how I can resolve this.
Thanks
Ian
Any particular reason why you are using IP over an FQDN?
how I can use captive portal using external database and web server in other word
I have developed php script & Mysql
I want user to insert username and password and send the result to fortigate to allow this user access internet ot not How can i do that
That would most likely require some API integration. The best way to use an external database for captive portal though would be adding an external RADIUS server.
thank you very much about your replay but how can I configure RADIUS Server and database and I using php script
the way which I following is in this link but I don’t know how configure Radius server and web server to work with fortigate captive portal
thank you for you replay
at now I configured radius server and the radius server connecting to fortigate successfully but I don’t know how to make external login page using php and the authentication will be in my php script or fortigate will authenticate by itself
in other word is the main task of login page to send user name and password to fortigate or there is any other task
thank you very much
this is the link
http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/
Hi,
Can I used the WIFI captive portal when my set up is as below
Fortigate >> Connect to cisco switch >> FortiAP.
My fortiAP’s are up and running but when set the SSID to captive portal, it is not working.
Regards,
Alpi
Yes, you don’t need a FortiSwitch in order to use captive portal with a FortiAP. I will need to know more about how you have things configured in order to move forward though.
Dear Mike,
I applied captive portal on my lan physical interface with an external link, but before the login page is showed, an error message indicating that ssl untrusted certified you are accessing is showed.
You have to use an SSL Cert that your computer trusts. This means either utilizing an active directory certificate for domain computers or a public cert that is tied to the domain hosting the page.
I have a google home and wanted to connect to our guest wifi with captive portal.
How do I do this?
Hi,
Is it possible to configure Fortigate Captive Portal using Ubiquity Access Point? I follow the next video https://www.youtube.com/watch?v=XLHhw5ND8vU, but the video showed a FortiAP scenario.
Thank you.
Hi
With Captive Portal, is it possible to make Identity Collction in order to create user-based rules? If so, how?
Regards
I want o configure Guest-Wifi in my Fortinet 201E , but using self provisioning method, as in client must get page of fortinet where he can put his details like Name, company, email add , and he can receive OTP on his mail ID for Internet access