Configuring WiFi captive portal security – FortiGate captive portal
The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.
To configure a WiFi Captive Portal – web-based manager:
- Go to WiFi & Switch Controller > SSID and create your SSID.
If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
- In Security Mode, select Captive Portal.
- Enter
Portal Type | The portal can provide authentication and/or disclaimer, or perform user email address collection. See Defining a wireless network interface (SSID) on page 45. | |
Authentication Portal | Local | |
User Groups | Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy. | |
Exempt List | Select exempt lists whose members will not be subject to captive portal authentication. | |
Customize Portal Messages | Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide. | |
- Select OK.
Configuring WiFi captive portal security – external server
An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.
On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data magic=session_id&username=<username>&password=<password>.
(The magic value was provided in the initial FortiGate request to the web server.)
To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:
config user setting set auth-secure-http enable
end
To configure use of an external WiFi Captive Portal – web-based manager:
- Go to WiFi & Switch Controller > SSIDand create your SSID.
If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
- In Security Mode, select Captive Portal.
- Enter
Portal Type | The portal can provide authentication and/or disclaimer, or perform user email address collection. |
Authentication Portal | External – enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL. |
User Groups | Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy. |
Exempt List | Select exempt lists whose members will not be subject to captive portal authentication. |
Redirect after Captive Portal | Original Request
Specific URL – enter URL |
SSID Groups
- Select OK.