Adding a My Captive Portal SSID to a FortiAP network
Use this procedure to add a My Captive Portal SSID to a FortiAP network. In this procedure, you are required to create your own captive portal page.
If you prefer to use and customize an existing captive portal page, then go to the Adding a FortiAP Cloud captive portal SSID to a FortiAP network procedure instead.
- Complete the Creating the My Captive Portal page procedure.
- If you want to use the MAC access control, make sure to import MAC addresses (see the Configuring MAC access control and MAC filtering procedure).
- Choose and set up one of the following sign on methods:
- If you want to apply a QoS profile, make sure that the QoS profile exists (see the Adding a QoS profile procedure).
- If you want the SSID to be available to APs with specific tags only, make sure that the AP tags exist (see the Adding AP tags procedure).
- If you want to block intra-SSID traffic, and customize radio and rate optional settings, then purchase a FAP Advanced Management License.
- On the FortiAP Cloud Home page, select the FortiAP network to which you want to add a WPA2 Personal SSID.
- In the Menu bar, click Configure.
- In the Navigation pane, click SSIDs.
- Click Add SSID.
- Complete the following fields:
Type a name for this wireless network. Clients use this name to find and connect to this wireless network.
Select to have the SSID active.
Select to broadcast the SSID. All wireless clients within range can see the SSID when they scan for available networks.
MAC Access Control
Select to allow clients identified in the MAC address import list to connect to that SSID.
Fail Through Mode. This mode is available if you select the Open authentication. If you select the Fail Through Mode, then the following applies:
- If a client is not in the MAC address import list, then the client must pass captive-portal authentication to access the internet.
- If a client is in the MAC address import list, then the client can bypass the captive-portal authentication and access the internet directly.
Select to enable the mesh link.
Select Open or WPA2-Personal.
If you select WPA2-Personal, then type a password. This password must contain from 8 to 63 characters. Characters can be any combination of upper and lower case letters, numbers, punctuation marks, and symbols.
Select My Captive Portal.
Captive Portal URL
Type the URL of your captive portal page.
Select one of the following:
- Original Request:
- Specific URL:
The walled garden is a list of web domains that users can access before completing the authentication process.
You can type an IP address, domain name, and subnetwork address/mask.
Separate multiple entries with a comma.
Sign on Method
Select one of the following:
- Click Through: Users go to the captive portal page and click Continue to gain access to the wireless network. Users do not type a username and password.
- My RADIUS Server: Make sure to whitelist FortiAPCloud server (IP: 184.108.40.206) as a client to access the RADIUS server.
- FortiAPCloud user/group: Select a configured FortiAP Cloud group.
AP as RADIUS client
The FortiAP acts as a RADIUS client and sends accounting information to the configured RADIUS server.
This configuration parameter is applicable ONLY when the SSID operates in the OPEN security mode with external captive portal and RADIUS authentication and accounting parameters.
When AP as RADIUS client is enabled, the FortiAP redirects clients to the configured external captive portal, collects credentials and performs RADIUS authentication and accounting. When disabled (default), the legacy functionality continues where the FortiAP redirects all clients to a centralized FortiAP Cloud which then redirects them to the configured external captive portal.
When you enable AP as RADIUS Client, the following parameters become configurable.
- Secure HTTP - Secure HTTP is used to post credentials from the configured external captive portal web server to the FortiAP. This is disabled by default.
- Session Interval - The time interval after which the captive portal authentication session is invalidated and the user is required to log in again. The valid range for the session interval is 0 - 864000 seconds, 0 (default) indicates that the user is never logged out.
Note: This feature is supported on FAP-S and FAP-W2 models with firmware versions 6.2 and 6.4.
RADIUS Acct Settings
Select the RADIUS profile for accounting.
CoA is also supported and can be enabled in RADIUS Accounting profile.
Select Bridge or NAT.
If you choose NAT, then complete the following:
- Local LAN: Select Allow or Deny.
- IP/Network Mask: Type the IP address and network mask of the SSID.
- DHCP Lease Time: Default is 3600 seconds (or one hour).
If you want to apply a QoS profile that you have already created, select it from the list.
If the IP assignment is Bridge, you can type the ID of the VLAN for your wireless network (SSID).
Default is 0 for non-VLAN operation.
With a FortiAP advanced management license, you can enable the following advanced settings:
Airtime Fairness Weight (%)
Wi-Fi has a natural tendency for clients farther away or clients at lower data rates to monopolize the airtime and drag down the overall performance. Airtime Fairness (ATF) helps to improve the overall network performance.
Airtime Fairness is configured per SSID, each SSID is granted airtime according to the configured allocation. It is configurable on both 2.4 GHz and 5 GHz radios.
Data frames that exceed the configured % allocation are dropped. Enable Airtime Fairness when creating a Platform profile.
Applicable only on downlink traffic.
Applicable only on data, management and control functions are excluded.
Applicable on all types of SSIDs; Tunnel, Bridge and Mesh.
Applicable on all authentication modes.
Airtime Fairness is supported with FOS 6.2.0 and on all Smart (FortiAP-S) W2 models and FAP (FortiAP) W2 models.
Note: Enable ATF processing on desired radios in AP Platform Profile.
- Block intra-SSID traffic
- Tunnel Settings
Select Tunnel Profile to add an existing GRE/L2TP Tunnel profile.
FortiAP Cloud supports tunnel redundancy. When the primary tunnel goes down, data traffic is automatically redirected to the secondary or the standby tunnel. Select the Primary Tunnel Profile and the Secondary Tunnel Profile. For more information, see Adding a Tunnel profile.
Tunnel Echo Interval: The time interval to send echo requests to primary and secondary tunnel peers. The valid range is 1 to 65535 seconds; default is 300 seconds.
- Tunnel Fallback Interval: The time interval for secondary tunnel to fall back to the primary tunnel once it is active. The valid range is 1 to 65535 seconds; default is 7200 seconds.
- DHCP Option 82
DHCP option 82 (DHCP relay information) secures wireless networks served by FortiAPs against vulnerabilities that facilitate DHCP IP address starvation and spoofing/forging of IP and MAC addresses. The Circuit ID and Remote ID parameters enhance this security mechanism by allowing the FortiAP to include specific AP and client device information into the DHCP request packets. Both these options are disabled by default.
The DHCP server can use the location of a DHCP client when assigning IP addresses or other parameters.
Note: This feature is supported with FOS 6.2.0 and above.
Circuit ID: The AP information is inserted in the following formats:
- Style-1: ASCII string composed in the format <AP MAC address>;<SSID>;<SSID-TYPE>. For example, " 00:12:F2:00:00:59;SSID12;Bridge".
- Style-2: ASCII string composed of the AP MAC address. For example, "00:12:F2:00:00:59".
Style-3: ASCII string composed in the format <Network-Type:WTPProfile-Name:VLAN:SSID:AP-Model:AP-Hostname:AP-MAC address>. For example, "WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-S221E: 00:12:F2:00:00:59".
Remote ID: The MAC address of the client device is inserted in the following format:
Style-1 - ASCII string composed of the client MAC address. For example, "00:12:F2:00:00:59".
- Radio and Rates Optional Settings
- To go to Security, click Next .
- If the FortiAP model supports security features, then select the ones you want to enable.
- To go to Availability, click Next .
- Complete the following fields:
Select which radios you want to be active.
Select whether you want the SSID to be available to all APs or APs with specific tags.
Select a schedule for when the SSID is available.
- To go to Preview, click Next .
- Review the summary. If you need to make changes, click Prev.
- To complete the changes, click Apply.
- You can now go to the Deploying a FortiAP device to a FortiAP network procedure.