Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Captive Portal Security

Copy Link
Copy Doc ID 39730980-35ec-11ec-9c99-00505692583a:292926
Download PDF

Captive Portal Security

Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

The captive portal can be hosted on the FortiGate unit, or externally. For details see

Configuring WiFi captive portal security - FortiGate captive portal

Configuring WiFi captive portal security - external server

Configuring WiFi captive portal security - FortiGate captive portal

The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

To configure a WiFi Captive Portal - GUI:
  1. Go to WiFi and Switch Controller > SSIDs and create your SSID.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. In Security Mode, select Captive Portal.
  3. Enter
  4. Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection.

    Authentication Portal

    Local

    User Groups

    Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Customize Portal Messages

    Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide.

  5. Select OK.

Configuring WiFi captive portal security - external server

An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
magic=session_id&username=<username>&password=<password>.
(The magic value was provided in the initial FortiGate request to the web server.)

To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

config user setting

set auth-secure-http enable

end

To configure use of an external WiFi Captive Portal - GUI:
  1. Go to WiFi and Switch Controller > SSIDs and create your SSID.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. In Security Mode, select Captive Portal.
  3. Enter
  4. Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection.

    Authentication Portal

    External - enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

    User Groups

    Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Redirect after Captive Portal

    Original Request

    Specific URL - enter URL

  5. Select OK.

Captive Portal Security

Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

The captive portal can be hosted on the FortiGate unit, or externally. For details see

Configuring WiFi captive portal security - FortiGate captive portal

Configuring WiFi captive portal security - external server

Configuring WiFi captive portal security - FortiGate captive portal

The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

To configure a WiFi Captive Portal - GUI:
  1. Go to WiFi and Switch Controller > SSIDs and create your SSID.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. In Security Mode, select Captive Portal.
  3. Enter
  4. Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection.

    Authentication Portal

    Local

    User Groups

    Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Customize Portal Messages

    Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide.

  5. Select OK.

Configuring WiFi captive portal security - external server

An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
magic=session_id&username=<username>&password=<password>.
(The magic value was provided in the initial FortiGate request to the web server.)

To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

config user setting

set auth-secure-http enable

end

To configure use of an external WiFi Captive Portal - GUI:
  1. Go to WiFi and Switch Controller > SSIDs and create your SSID.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. In Security Mode, select Captive Portal.
  3. Enter
  4. Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection.

    Authentication Portal

    External - enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

    User Groups

    Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Redirect after Captive Portal

    Original Request

    Specific URL - enter URL

  5. Select OK.