Captive portal policies
There are two types of captive portal policies:
- Allow captive portal access: Presents a captive portal login page when end-users' HTTP requests contain parameters or values that meet the pre-defined criteria.
- Deny captive portal access: Blocks end-users from accessing a captive portal login page if their HTTP request contains parameters or values that meet the pre-defined criteria.
To configure an allow access captive portal policy:
- Go to Authentication > Portals > Policies, click Captive portals and Create New.
The Captive Portal Policy Creation Wizard is launched. - Enter the following information:
Policy type Specify the name and type of the portal policy. Name
Enter a name for the policy.
Description
Optionally, enter a description of the policy.
Type
Select Allow captive portal access and choose a portal.
Portal selection criteria Specify the necessary criteria for presenting this captive portal to an end user. Portal Rule Conditions Redirects to this captive portal must contain parameters that meet all of the criteria included here. For example, a condition to restrict the portal to users from subnet
192.168.1.0/24
would be:- HTTP parameter =
userip
- Operator =
[ip]in_range
- Value =
192.168.1.0/24
Authorized clients
Access points
Select the access points used to access the captive portal.
RADIUS clients
Select the RADIUS clients to associate with this portal policy.
Authentication type Specify the type of end-user authentication used by the portal. Authentication type
Select either Password/OTP or MAC authentication.
- Password/OTP Authentication: Selected by default, this option requires authentication with user account credentials (local or remote) or with social site credentials:
- Local/remote user: Credentials are verified against one of the local or remote user accounts.
- Social users: Authentication with social site credentials (OAUTH), phone number, or email. Successful authentication creates a social user account containing details about the third-party account.
- MAC Authorization: The access point/NAS can attempt a MAC authentication bypass (MAB) prior to redirecting to the captive portal. If the MAB is successful, the access point/NAS provides network access without redirecting to the captive portal.
Identity sources Specify the identity sources against which to authenticate end users. Social Users
Enable authorized redirects to social platforms and specify if phone or email verification is required.
This setting is only available for Password/OTP Authentication when Social Users is enabled in Authentication type.
Username format
Select one of the following three username input formats:
- username@realm
- realm\username
- realm/username
This setting is only available for Password/OTP Authentication.
Use default realm when user-provided realm is different from all configured realms
When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.
Realms
Add realms to which the client will be associated.
- Select a realm from the dropdown menu in the Realm column.
- Select whether or not to allow local users to override remote users for the selected realm.
- Select whether or not to use Windows AD domain authentication.
- Edit the group filter as needed to filter users based on the groups they are in.
- If necessary, add more realms to the list.
- Select the realm that will be the default realm for this client.
This setting is only available for Password/OTP Authentication.
Authentication factors Specify which authentication factors to verify. Authentication type
Select one of the following:
- Mandatory password and OTP: Two-factor authentication is required for every user.
- All configured password and OTP factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
- Password-only: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
- OTP-only: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.
This setting is only available for Password/OTP Authentication.
User IP address parameter
Select the user IP address parameter.
Use userip for FortiGate/FortiWiFi.
Adaptive Authentication
Enable this option if you would like to have certain users bypass OTP validation, so long as they belong to a trusted subnet.
Select All trusted subnets to add all the available trusted subnets.
You can specify the trusted subnets by selecting Specify trusted subnets and clicking the pen icon. This opens a window where you can choose from a list of available trusted subnets.
Adaptive Authentication is available only for the following authentication types:
Mandatory password and OTP
All configured password and OTP factors
FIDO authentication (effective once a token has been registered)
Enable or disable FIDO authentication.
Options Select from the following two options:
FIDO token only: Log in with FIDO token only (without password).
Password and FIDO token: Log in with the password and the FIDO token.
Allow two-factor authentication (password and OTP) if all FIDO keys have been revoked for the user account
Enable to allow two-factor authentication (password and OTP) if all FIDO keys have been revoked for the user account.
MAC address parameter
Select the MAC address parameter.
Use usermac for FortiGate/FortiWiFi, station_mac for WortiWLC, or client_mac for Cisco WLC.Restrict access based on end-user MAC address
Select the authorized MAC device groups.
Authorized groups must be first created under Authentication > User Management > User Groups, where the Type is MAC.
Advanced Options
Allow FortiToken Mobile push notifications
Toggle on/off FTM Push notifications for RADIUS users. This setting is only controlled here on a per RADIUS client basis, not for specific users.
This setting is only available for Password/OTP Authentication.
Application name for FTM push notification
Enter the client application name. This field is displayed on the FortiToken app.
When creating a new policy or upgrading to FortiAuthenticator 6.5, the policy name is the default client application name.
Resolve user geolocation from their IP address
Enable to resolve the user geolocation from their IP address (if possible).
Reject usernames containing uppercase letters
Enable this setting to reject usernames that contain uppercase letters.
This setting is only available for Password/OTP Authentication.
RADIUS response Specify the content of the RADIUS authentication response based on the outcome of the authentication. - HTTP parameter =
- Click Save and exit.
To configure a deny access captive portal policy:
- Go to Authentication > Portals > Policies, click Captive portals and Create New.
The Captive Portal Policy Creation Wizard is launched. - Enter the following information:
Policy type Specify the name and type of the portal policy. Name
Enter a name for the policy.
Description
Optionally, enter a description of the policy.
Type
Select Deny captive portal access.
Portal selection criteria Specify the necessary criteria for denying captive portal access to an end-user. Portal Rule Conditions
Redirects to this captive portal must contain parameters that meet all of the criteria included here. For example, a condition to restrict the portal to users from subnet
192.168.1.0/24
would be:- HTTP parameter =
userip
- Operator =
[ip]in_range
- Value =
192.168.1.0/24
Access points
Select the portal access points.
End-users must be redirected to the captive portal from one of these access points/NAS.
Browser response The FortiAuthenticator presents an error message to end-users' browsers when captive portal access is denied.
You can customize the browser response error message at Authentication > Self-service Portal > Replacement Message > System > 403 Forbidden.
- HTTP parameter =
- Click Save and exit.