Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 7.0.4 FortiWiFi and FortiAP Configuration Guide
    7.0.4
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    Captive Portal Security

    Captive Portal Security

    Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

    The captive portal can be hosted on the FortiGate unit, or externally. For details see

    Configuring WiFi captive portal security - FortiGate captive portal

    Configuring WiFi captive portal security - external server

    Configuring WiFi captive portal security - FortiGate captive portal

    The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

    To configure a WiFi Captive Portal - GUI:
    1. Go to WiFi and Switch Controller > SSIDs and create your SSID.
      If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
    2. In Security Mode, select Captive Portal.
    3. Enter

      4. Portal Type

      The portal can provide authentication and/or disclaimer, or perform user email address collection.

      Authentication Portal

      Local

      User Groups

      Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

      Exempt List

      Select exempt lists whose members will not be subject to captive portal authentication.

      Customize Portal Messages

      Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide.
    4. Select OK.

    Configuring WiFi captive portal security - external server

    An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

    On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
    magic=session_id&username=<username>&password=<password>.
    (The magic value was provided in the initial FortiGate request to the web server.)

    To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

    config user setting

    set auth-secure-http enable

    end

    To configure use of an external WiFi Captive Portal - GUI:
    1. Go to WiFi and Switch Controller > SSIDs and create your SSID.
      If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
    2. In Security Mode, select Captive Portal.
    3. Enter

      4. Portal Type

      The portal can provide authentication and/or disclaimer, or perform user email address collection.

      Authentication Portal

      External - enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

      User Groups

      Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

      Exempt List

      Select exempt lists whose members will not be subject to captive portal authentication.

      Redirect after Captive Portal

      Original Request

      Specific URL - enter URL
    4. Select OK.
    Previous
    Next

    More Links

    Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external captive portal on Bridge mode SSID
    Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external captive portal on Tunnel mode SSID

    Captive Portal Security

    Captive Portal Security

    Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

    The captive portal can be hosted on the FortiGate unit, or externally. For details see

    Configuring WiFi captive portal security - FortiGate captive portal

    Configuring WiFi captive portal security - external server

    Configuring WiFi captive portal security - FortiGate captive portal

    The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

    To configure a WiFi Captive Portal - GUI:
    1. Go to WiFi and Switch Controller > SSIDs and create your SSID.
      If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
    2. In Security Mode, select Captive Portal.
    3. Enter

      4. Portal Type

      The portal can provide authentication and/or disclaimer, or perform user email address collection.

      Authentication Portal

      Local

      User Groups

      Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

      Exempt List

      Select exempt lists whose members will not be subject to captive portal authentication.

      Customize Portal Messages

      Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide.
    4. Select OK.

    Configuring WiFi captive portal security - external server

    An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

    On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
    magic=session_id&username=<username>&password=<password>.
    (The magic value was provided in the initial FortiGate request to the web server.)

    To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

    config user setting

    set auth-secure-http enable

    end

    To configure use of an external WiFi Captive Portal - GUI:
    1. Go to WiFi and Switch Controller > SSIDs and create your SSID.
      If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
    2. In Security Mode, select Captive Portal.
    3. Enter

      4. Portal Type

      The portal can provide authentication and/or disclaimer, or perform user email address collection.

      Authentication Portal

      External - enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

      User Groups

      Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

      Exempt List

      Select exempt lists whose members will not be subject to captive portal authentication.

      Redirect after Captive Portal

      Original Request

      Specific URL - enter URL
    4. Select OK.
    Previous
    Next