Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.1.0 Administration Guide
    6.1.0
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    Captive portal policies

    Captive portal policies

    There are two types of captive portal policies:

    • Allow captive portal access: Presents a captive portal login page when end-users' HTTP requests contain parameters or values that meet the pre-defined criteria.
    • Deny captive portal access: Blocks end-users from accessing a captive portal login page if their HTTP request contains parameters or values that meet the pre-defined criteria.
    To configure an allow access captive portal policy:
    1. Go to Authentication > Portals > Policies, click Captive portals and Create New.
      The Captive Portal Policy Creation Wizard is launched.
    2. Enter the following information:
      Policy type Specify the name and type of the portal policy.

      Name

      Enter a name for the policy.

      Description

      Optionally, enter a description of the policy.

      Type

      Select Allow captive portal access and choose a portal.
      Portal selection criteria Specify the necessary criteria for presenting this captive portal to an end user.

      Additional source criteria

      Redirects to this captive portal must contain parameters that meet all of the criteria included here. For example, a condition to restrict the portal to users from subnet 192.168.1.0/24 would be:

      • HTTP parameter = userip
      • Operator = [ip]in_range
      • Value = 192.168.1.0/24

      Access points

      Select the access points used to access the captive portal.

      RADIUS clients

      Select the RADIUS clients to associate with this portal policy.

      Authentication type Specify the type of end-user authentication used by the portal.

      Authentication type

      Select either Password/OTP or MAC authentication.

      • Password/OTP Authentication: Selected by default, this option requires authentication with user account credentials (local or remote) or with social site credentials:
        • Local/remote user: Credentials are verified against one of the local or remote user accounts.
        • Social users: Authentication with social site credentials (OAUTH), phone number, or email. Successful authentication creates a social user account containing details about the third-party account.
      • MAC Authorization: The access point/NAS can attempt a MAC authentication bypass (MAB) prior to redirecting to the captive portal. If the MAB is successful, the access point/NAS provides network access without redirecting to the captive portal.
      Identity sources Specify the identity sources against which to authenticate end users.

      Username format

      Select one of the following three username input formats:

      • username@realm
      • realm\username
      • realm/username

      This setting is only available for Password/OTP Authentication.

      Realms

      Add realms to which the client will be associated.

      • Select a realm from the dropdown menu in the Realm column.
      • Select whether or not to allow local users to override remote users for the selected realm.
      • Select whether or not to use Windows AD domain authentication.
      • Edit the group filter as needed to filter users based on the groups they are in.
      • If necessary, add more realms to the list.
      • Select the realm that will be the default realm for this client.

      This setting is only available for Password/OTP Authentication.

      Authorized redirects

      Enable authorized redirects to social platforms and specify if phone or email verification is required.

      This setting is only available for Password/OTP Authentication when Social Users is enabled in Authentication type.
      Authentication factors Specify which authentication factors to verify.

      Authentication type

      Select one of the following:

      • Mandatory two-factor authentication: Two-factor authentication is required for every user.
      • Verify all configured authentication factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
      • Password-only authentication: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
      • Token-only authentication: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.

      This setting is only available for Password/OTP Authentication.

      Allow FortiToken Mobile push notifications

      Toggle on/off FTM Push notifications for RADIUS users. This setting is only controlled here on a per RADIUS client basis, not for specific users.

      This setting is only available for Password/OTP Authentication.

      MAC address parameter

      Select the MAC address parameter.

      Reject usernames containing uppercase letters

      Enable this setting to reject usernames that contain uppercase letters.

      This setting is only available for Password/OTP Authentication.

      Restrict access based on end-user MAC address

      Select the authorized MAC device groups.

      Authorized groups must be first created under Authentication > User Management > User Groups, where the Type is MAC.
      RADIUS response Specify the content of the RADIUS authentication response based on the outcome of the authentication.
    3. Click Save and exit.
    To configure a deny access captive portal policy:
    1. Go to Authentication > Portals > Policies, click Captive portals and Create New.
      The Captive Portal Policy Creation Wizard is launched.
    2. Enter the following information:
      Policy type Specify the name and type of the portal policy.

      Name

      Enter a name for the policy.

      Description

      Optionally, enter a description of the policy.

      Type

      Select Deny captive portal access.

      Portal selection criteria Specify the necessary criteria for denying captive portal access to an end-user.

      Additional source criteria

      Redirects to this captive portal must contain parameters that meet all of the criteria included here. For example, a condition to restrict the portal to users from subnet 192.168.1.0/24 would be:

      • HTTP parameter = userip
      • Operator = [ip]in_range
      • Value = 192.168.1.0/24

      Access points

      Select the portal access points.

      End-users must be redirected to the captive portal from one of these access points/NAS.
      Browser response

      The FortiAuthenticator presents an error message to end-users' browsers when captive portal access is denied.

      You can customize the browser response error message at Authentication > Self-service Portal > Replacement Message > System > 403 Forbidden.
    3. Click Save and exit.
    Previous
    Next

    Captive portal policies

    Captive portal policies

    There are two types of captive portal policies:

    • Allow captive portal access: Presents a captive portal login page when end-users' HTTP requests contain parameters or values that meet the pre-defined criteria.
    • Deny captive portal access: Blocks end-users from accessing a captive portal login page if their HTTP request contains parameters or values that meet the pre-defined criteria.
    To configure an allow access captive portal policy:
    1. Go to Authentication > Portals > Policies, click Captive portals and Create New.
      The Captive Portal Policy Creation Wizard is launched.
    2. Enter the following information:
      Policy type Specify the name and type of the portal policy.

      Name

      Enter a name for the policy.

      Description

      Optionally, enter a description of the policy.

      Type

      Select Allow captive portal access and choose a portal.
      Portal selection criteria Specify the necessary criteria for presenting this captive portal to an end user.

      Additional source criteria

      Redirects to this captive portal must contain parameters that meet all of the criteria included here. For example, a condition to restrict the portal to users from subnet 192.168.1.0/24 would be:

      • HTTP parameter = userip
      • Operator = [ip]in_range
      • Value = 192.168.1.0/24

      Access points

      Select the access points used to access the captive portal.

      RADIUS clients

      Select the RADIUS clients to associate with this portal policy.

      Authentication type Specify the type of end-user authentication used by the portal.

      Authentication type

      Select either Password/OTP or MAC authentication.

      • Password/OTP Authentication: Selected by default, this option requires authentication with user account credentials (local or remote) or with social site credentials:
        • Local/remote user: Credentials are verified against one of the local or remote user accounts.
        • Social users: Authentication with social site credentials (OAUTH), phone number, or email. Successful authentication creates a social user account containing details about the third-party account.
      • MAC Authorization: The access point/NAS can attempt a MAC authentication bypass (MAB) prior to redirecting to the captive portal. If the MAB is successful, the access point/NAS provides network access without redirecting to the captive portal.
      Identity sources Specify the identity sources against which to authenticate end users.

      Username format

      Select one of the following three username input formats:

      • username@realm
      • realm\username
      • realm/username

      This setting is only available for Password/OTP Authentication.

      Realms

      Add realms to which the client will be associated.

      • Select a realm from the dropdown menu in the Realm column.
      • Select whether or not to allow local users to override remote users for the selected realm.
      • Select whether or not to use Windows AD domain authentication.
      • Edit the group filter as needed to filter users based on the groups they are in.
      • If necessary, add more realms to the list.
      • Select the realm that will be the default realm for this client.

      This setting is only available for Password/OTP Authentication.

      Authorized redirects

      Enable authorized redirects to social platforms and specify if phone or email verification is required.

      This setting is only available for Password/OTP Authentication when Social Users is enabled in Authentication type.
      Authentication factors Specify which authentication factors to verify.

      Authentication type

      Select one of the following:

      • Mandatory two-factor authentication: Two-factor authentication is required for every user.
      • Verify all configured authentication factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
      • Password-only authentication: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
      • Token-only authentication: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.

      This setting is only available for Password/OTP Authentication.

      Allow FortiToken Mobile push notifications

      Toggle on/off FTM Push notifications for RADIUS users. This setting is only controlled here on a per RADIUS client basis, not for specific users.

      This setting is only available for Password/OTP Authentication.

      MAC address parameter

      Select the MAC address parameter.

      Reject usernames containing uppercase letters

      Enable this setting to reject usernames that contain uppercase letters.

      This setting is only available for Password/OTP Authentication.

      Restrict access based on end-user MAC address

      Select the authorized MAC device groups.

      Authorized groups must be first created under Authentication > User Management > User Groups, where the Type is MAC.
      RADIUS response Specify the content of the RADIUS authentication response based on the outcome of the authentication.
    3. Click Save and exit.
    To configure a deny access captive portal policy:
    1. Go to Authentication > Portals > Policies, click Captive portals and Create New.
      The Captive Portal Policy Creation Wizard is launched.
    2. Enter the following information:
      Policy type Specify the name and type of the portal policy.

      Name

      Enter a name for the policy.

      Description

      Optionally, enter a description of the policy.

      Type

      Select Deny captive portal access.

      Portal selection criteria Specify the necessary criteria for denying captive portal access to an end-user.

      Additional source criteria

      Redirects to this captive portal must contain parameters that meet all of the criteria included here. For example, a condition to restrict the portal to users from subnet 192.168.1.0/24 would be:

      • HTTP parameter = userip
      • Operator = [ip]in_range
      • Value = 192.168.1.0/24

      Access points

      Select the portal access points.

      End-users must be redirected to the captive portal from one of these access points/NAS.
      Browser response

      The FortiAuthenticator presents an error message to end-users' browsers when captive portal access is denied.

      You can customize the browser response error message at Authentication > Self-service Portal > Replacement Message > System > 403 Forbidden.
    3. Click Save and exit.
    Previous
    Next