Configuring a captive portal
Captive portals are configured on network interfaces. On a physical (wired) network interface, you edit the interface configuration in Network > Interfaces and set Security Mode to Captive Portal. A WiFi interface does not exist until the WiFi SSID is created. You can configure a WiFi captive portal at the time that you create the SSID. Afterwards, the captive portal settings will also be available by editing the WiFi network interface in Network > Interfaces.
Configuring a captive portal
To configure a wired Captive Portal – web-based manager:
- Go to Network > Interfaces and edit the interface to which the users connect.
- In Security Mode select Captive Portal.
- Enter
Authentication Portal | Local – portal hosted on the FortiGate unit.
Remote – enter FQDN or IP address of external portal. |
User Groups | Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.
Use Groups from Policies is not available in WiFi captive portals. |
Exempt List | Select exempt lists whose members will not be subject to captive portal authentication. |
Customize Portal Messages | Enable, then select Edit. See Customizing captive portal pages on page 101. |
- Select OK.
To configure a WiFi Captive Portal – web-based manager:
- Go to WiFi & Switch Controller > SSID and create your SSID.
If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
- In Security Mode, select Captive Portal.
- Enter
Portal Type | The portal can provide authentication and/or disclaimer, or perform user email address collection. See Introduction to Captive portals on page 99. |
Authentication Portal | Local – portal hosted on the FortiGate unit.
Remote – enter FQDN or IP address of external portal. |
User Groups | Select permitted user groups. |
Exempt List | Select exempt lists whose members will not be subject to captive portal authentication. |
Customize Portal Messages | Click the link of the portal page that you want to modify. See “Captive portals” on page 101. |
- Select OK.
Exemption from the captive portal
A captive portal requires all users on the interface to authenticate. But some devices are not able to authenticate. You can create an exemption list of these devices. For example, a printer might need to access the Internet for firmware upgrades. Using the CLI, you can create an exemption list to exempt all printers from authentication.
config user security-exempt-list edit r_exempt config rule edit 1 set devices printer
end end