Captive portals

Configuring a captive portal

Captive portals are configured on network interfaces. On a physical (wired) network interface, you edit the interface configuration in Network > Interfaces and set Security Mode to Captive Portal. A WiFi interface does not exist until the WiFi SSID is created. You can configure a WiFi captive portal at the time that you create the SSID. Afterwards, the captive portal settings will also be available by editing the WiFi network interface in Network > Interfaces.

Configuring a captive portal

To configure a wired Captive Portal – web-based manager:

  1. Go to Network > Interfaces and edit the interface to which the users connect.
  2. In Security Mode select Captive Portal.
  3. Enter
Authentication Portal Local – portal hosted on the FortiGate unit.

Remote – enter FQDN or IP address of external portal.

User Groups Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

Use Groups from Policies is not available in WiFi captive portals.

Exempt List Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal Messages Enable, then select Edit. See Customizing captive portal pages on page 101.
  1. Select OK.

To configure a WiFi Captive Portal – web-based manager:

  1. Go to WiFi & Switch Controller > SSID and create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

  1. In Security Mode, select Captive Portal.
  2. Enter
Portal Type The portal can provide authentication and/or disclaimer, or perform user email address collection. See Introduction to Captive portals on page 99.
Authentication Portal Local – portal hosted on the FortiGate unit.

Remote – enter FQDN or IP address of external portal.

User Groups Select permitted user groups.
Exempt List Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal Messages Click the link of the portal page that you want to modify. See “Captive portals” on page 101.
  1. Select OK.

Exemption from the captive portal

A captive portal requires all users on the interface to authenticate. But some devices are not able to authenticate. You can create an exemption list of these devices. For example, a printer might need to access the Internet for firmware upgrades. Using the CLI, you can create an exemption list to exempt all printers from authentication.

config user security-exempt-list edit r_exempt config rule edit 1 set devices printer

end end

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.