Configuring a captive portal

Configuring a captive portal

Captive portals are configured on network interfaces. On a physical (wired) network interface, you edit the interface configuration in System > Network > Interfaces and set Security Mode to Captive Portal. A WiFi interface does not exist until the WiFi SSID is created. You can configure a WiFi captive portal at the time that you create the SSID. Afterwards, the captive portal settings will also be available by editing the WiFi network interface in System > Network > Interfaces.

 

To configure a wired Captive Portal – web-based manager:

1. Go to System > Network > Interfaces and edit the interface to which the users connect.

2. In Security Mode select Captive Portal.

3. Enter

 

Authentication Portal                Local – portal hosted on the FortiGate unit.

Remote – enter FQDN or IP address of external portal.

User Groups                               Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

Use Groups from Policies is not available in WiFi captive portals.

Exempt List                                Select exempt lists whose members will not be subject to captive portal authentication.

Customize Portal

Messages

Enable, then select Edit. See Customizing captive portal pages on page 516.

4. Select OK.

 

To configure a WiFi Captive Portal – web-based manager:

1. Go to WiFi Controller > WiFi Network > SSID and create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in System > Network > Interfaces.

2. In Security Mode, select Captive Portal.

3. Enter

 

Portal Type                                 The portal can provide authentication and/or disclaimer, or perform user email address collection. See Introduction to Captive Portals on page 514.

Authentication Portal                Local – portal hosted on the FortiGate unit.

Remote – enter FQDN or IP address of external portal.

User Groups                               Select permitted user groups.

Exempt List                                Select exempt lists whose members will not be subject to captive portal authentication.

Customize Portal Messages     Click the link of the portal page that you want to modify. See “Captive portals” on page 516.

4. Select OK.

 

Exemption from the captive portal

A captive portal requires all users on the interface to authenticate. But some devices are not able to authenticate. You can create an exemption list of these devices. For example, a printer might need to access the Internet for firmware upgrades. Using the CLI, you can create an exemption list to exempt all printers from authentication.

config user security-exempt-list edit r_exempt

config rule edit 1

set devices printer end

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

15 thoughts on “Configuring a captive portal

  1. Ian

    Hi
    How do you set the certificate for the captive portal page? I have imported a SSL cert provide by a cert provider (QuoVadis) and set the global value :
    config system global
    set user-server-cert
    end
    But I still get a cert error message when accessing the authentication page saying that the common name on the cert does not match the URL which is the IP address. As I cant put an IP address on a cert any ideas how I can resolve this.
    Thanks
    Ian

    Reply
  2. Muhamad

    how I can use captive portal using external database and web server in other word
    I have developed php script & Mysql
    I want user to insert username and password and send the result to fortigate to allow this user access internet ot not How can i do that

    Reply
    1. Mike Post author

      That would most likely require some API integration. The best way to use an external database for captive portal though would be adding an external RADIUS server.

      Reply
      1. Muhammad

        thank you very much about your replay but how can I configure RADIUS Server and database and I using php script
        the way which I following is in this link but I don’t know how configure Radius server and web server to work with fortigate captive portal

        Reply
      2. muhammad

        thank you for you replay
        at now I configured radius server and the radius server connecting to fortigate successfully but I don’t know how to make external login page using php and the authentication will be in my php script or fortigate will authenticate by itself
        in other word is the main task of login page to send user name and password to fortigate or there is any other task
        thank you very much

        Reply
  3. Alfie

    Hi,
    Can I used the WIFI captive portal when my set up is as below
    Fortigate >> Connect to cisco switch >> FortiAP.
    My fortiAP’s are up and running but when set the SSID to captive portal, it is not working.

    Regards,
    Alpi

    Reply
    1. Mike Post author

      Yes, you don’t need a FortiSwitch in order to use captive portal with a FortiAP. I will need to know more about how you have things configured in order to move forward though.

      Reply
  4. Ivan

    Dear Mike,

    I applied captive portal on my lan physical interface with an external link, but before the login page is showed, an error message indicating that ssl untrusted certified you are accessing is showed.

    Reply
    1. Mike Post author

      You have to use an SSL Cert that your computer trusts. This means either utilizing an active directory certificate for domain computers or a public cert that is tied to the domain hosting the page.

      Reply
  5. Fatih

    Hi
    With Captive Portal, is it possible to make Identity Collction in order to create user-based rules? If so, how?

    Regards

    Reply
  6. kandy

    I want o configure Guest-Wifi in my Fortinet 201E , but using self provisioning method, as in client must get page of fortinet where he can put his details like Name, company, email add , and he can receive OTP on his mail ID for Internet access

    Reply

Leave a Reply to Muhammad Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.