Fortinet black logo

Handbook

Captive portals

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:868644
Download PDF

Captive portals

A captive portal is a convenient way to authenticate web users on wired or WiFi networks.

This section includes the following topics:

Introduction

You can authenticate your users on a web page that requests the user’s name and password. Until the user authenticates successfully, the authentication page is returned in response to any HTTP request. This is called a captive portal.

After successful authentication, the user accesses the requested URL and can access other web resources, as permitted by security policies. Optionally, the captive portal itself can allow web access to only the members of specified user group.

The captive portal can be hosted on the FortiGate unit or on an external authentication server. You can configure captive portal authentication on any network interface, including WiFi and VLAN interfaces.

When a captive portal is configured on a WiFi interface, the access point initially appears open. The wireless client can connect to the access point with no security credentials, but sees only the captive portal authentication page.

WiFi captive portal types:

  • Authentication — until the user enters valid credentials, no communication beyond the AP is permitted.
  • Disclaimer + Authentication — immediately after successful authentication, the portal presents the disclaimer page—an acceptable use policy or other legal statement—to which the user must agree before proceeding.
  • Disclaimer Only — the portal presents the disclaimer page—an acceptable use policy or other legal statement—to which the user must agree before proceeding. The authentication page is not presented.
  • Email Collection — the portal presents a page requesting the user’s email address, for the purpose of contacting the person in future. This is often used by businesses who provide free WiFi access to their customers. The authentication page is not presented.
  • MAC Bypass — when clients are authenticated against their bridged SSID and their MAC addresses are known, they are redirected to the external captive portal.

Configuration

Captive portals are configured on network interfaces. A WiFi interface does not exist until the WiFi SSID is created. You can configure a WiFi captive portal at the time that you create the SSID. Afterwards, the captive portal settings will also be available by editing the WiFi network interface in System > Network > Interfaces. On a physical (wired) network interface, you edit the interface configuration in System > Network > Interfaces and set Security Mode to Captive Portal.

To configure a WiFi captive portal - GUI:
  1. Go to WiFi & Switch Controller > SSID and create your SSID.

    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

  2. Under WiFi Settings, for Security Mode, select Captive Portal.
  3. Enter the following:

    Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection. See Introduction.

    Authentication Portal

    Local - portal hosted on the FortiGate unit.

    Remote - enter FQDN or IP address of external portal.

    User Groups

    Select permitted user groups.

    Exempt Sources

    Exempt Destinations/Services

    Select exempt lists whose members will not be subject to captive portal authentication.

    Redirect after Captive Portal

    Select whether to have authenticated users navigate to their originally requested URL or be redirected to another/specific URL.

  4. Select OK.
To configure an SSID with external-web enabled - CLI:

config wireless-controller vap

edit "web-ext"

set vdom "root"

set ssid "web-ext"

set security captive-portal

set selected-usergroups "qnap“

set security-exempt-list "wifi"

set security-redirect-url “ http://www.fortinet.com”

set intra-vap-privacy enable

set local-switching disable

set external-web "192.168.234.51/portal.php"

next

end

Note that the external-web entry is the URL of the external authentication web server. When this entry is not set, the FortiGate will use the local web server hosting the local login/splash page.

The external web URL is not explicitly set with HTTP/HTTPS - FortiGate uses the auth-secure-http entry under config user setting.

Exemption from the captive portal

A captive portal requires all users on the interface to authenticate. But some devices are not able to authenticate. You can create an exemption list of these devices. For example, a printer might need to access the Internet for firmware upgrades. Using the CLI, you can create an exemption list to exempt all printers from authentication.

config user security-exempt-list

edit r_exempt

config rule

edit <id>

set devices printer

end

end

Furthermore, a walled garden firewall policy can be created:

config firewall policy

edit <id>

set captive-portal-exempt enable

...

next

end

MAC Bypass for captive portal

It is possible to provide a MAC address bypass for authenticated clients.When clients are authenticated with bridged SSID and their MAC addresses are known, they are redirected to the External Captive Portal.

A new portal type has been added, under config wireless-controller vap, to provide successful MAC authentication Captive Portal functionality.

Syntax

config wireless-controller vap

edit {name}

set portal-type {cmcc-macauth}

next

end

MAC-auth-bypass for the captive-portal SSID

Captive-portal SSID supports MAC-auth-bypass. If a client's MAC can be authenticated from local-user or RADIUS, then the client can bypass firewall authentication directly.

config wireless-controller vap

edit <name>

set security captive-portal

set MAC-auth-bypass {enable | disable}

next

end

Customization of captive portal pages

These pages are defined in replacement messages. Defaults are provided. In the GUI, you can modify the default messages in the SSID configuration by selecting Customize Portal Messages. Each SSID can have its own unique portal content.

The captive portal contains the following default web pages:

  • Login page—requests user credentials

Typical modifications for this page would be to change the logo and modify some of the text.

You can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters.

There is an exception to this rule. The line “Please enter your credentials to continue” is provided by the %%QUESTION%% tag. You can replace this tag with text of your choice. Except for this item, you should not remove any tags because they may carry information that the FortiGate unit needs.

  • Login failed page—reports that the entered credentials were incorrect and enables the user to try again.

The Login failed page is similar to the Login page. It even contains the same login form. You can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters.

There is an exception to this rule. The line “Firewall authentication failed. Please try again.” is provided by the %%FAILED_MESSAGE%% tag. You can replace this tag with text of your choice. Except for this item, you should not remove any tags because they may carry information that the FortiGate unit needs.

  • Disclaimer page—is a statement of the legal responsibilities of the user and the host organization to which the user must agree before proceeding.(WiFi or SSL VPN only)

  • Declined disclaimer page—is displayed if the user does not agree to the statement on the Disclaimer page. Access is denied until the user agrees to the disclaimer.

Changing images in portal messages

You can replace the default Fortinet logo with your organization’s logo. First, import the logo file into the FortiGate unit and then modify the Login page code to reference your file.

To import a logo file:
  1. Go to System > Replacement Messages and select Manage Images.
  2. Select Create New.
  3. Enter a Name for the logo and select the appropriate Content Type.
    The file must not exceed 24 Kilo bytes.
  4. Select Browse, find your logo file and then select Open.
  5. Select OK.
To specify the new logo in the replacement message:
  1. Go to Network > Interfaces and edit the interface.
    The Security Mode must be Captive Portal.
  2. Select the portal message to edit.
    • In SSL VPN or WiFi interfaces, in Customize Portal Messages click the link to the portal messages that you want to edit.
    • In other interfaces, make sure that Customize Portal Messages is selected, select the adjacent Edit icon, then select the message that you want to edit.
  3. In the HTML message text, find the %%IMAGE tag.
    By default it specifies the Fortinet logo: %%IMAGE:logo_fw_auth%%
  4. Change the image name to the one you provided for your logo.
    The tag should now read, for example, %%IMAGE:mylogo%%
  5. Select Save.
  6. Select OK.

Modifying text in portal messages

Generally, you can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters. You should not remove any tags because they may carry information that the FortiGate unit needs. See the preceding section for any exceptions to this rule for particular pages.

To modify portal page text
  1. Go to System > Network > Interfaces and edit the interface.
    The SSID Security Mode must be Captive Portal.
  2. Select the portal message to edit.
    • In SSL VPN or WiFi interfaces, in Customize Portal Messages click the link to the portal messages that you want to edit.
    • In other interfaces, make sure that Customize Portal Messages is selected, select the adjacent Edit icon, then select the message that you want to edit.
  3. Edit the HTML message text, then select Save.
  4. Select OK.

Configuring disclaimer page for ethernet interface captive portals

While you can customize a disclaimer page for captive portals that connect via WiFi, the same can be done for wired connections. However, this can only be configured on the CLI Console, and only without configuring user groups.

When configuring a captive portal through the CLI, you may set security-groups to a specific user group. The result of this configuration will show an authentication form to users who wish to log in to the captive portal—not a disclaimer page. If you do not set any security-groups in your configuration, an "Allow all" status will be in effect, and the disclaimer page will be displayed for users.

The example CLI configuration below shows setting up a captive portal interface without setting security-groups, resulting in a disclaimer page for users:

config system interface

edit "port1"

set vdom "root"

set ip 172.16.101.1 255.255.255.0

set allowaccess ping https ssh snmp http

set type physical

set explicit-web-proxy enable

set alias "LAN"

set security-mode captive-portal

set snmp-index 1

next

end

Roaming support

Client devices can maintain captive portal authentication as they roam across different APs. By maintaining a consistent authentication, uninterrupted access to latency sensitive applications such as VoIP is ensured.

The Cloud will push a random per-AP Network encryption key to the AP. The key is 32 bytes in length, and is used in captive portal fast roaming. All APs of an AP Network will use the same encryption key. This key is randomly generated, and will be updated daily.

Session timeout interval for captive portal

The following syntax can be set to configure a session timeout interval in seconds for Captive Portal users. Set the range between 0 - 864000 (or no timeout to ten days). The default is set to 0.

note icon

This command is only available when local-standalone is set to enable, security is set to captive-portal, and then portal-type is set to either cmcc or cmcc-macauth.

Syntax

config wireless-controller vap

edit <name>

...

set captive-portal-session-timeout-interval <seconds>

next

end

Configuration example for the captive portal WiFi access control

In this scenario, you will configure the FortiGate for captive portal access so users can log on to your WiFi network.

You will create a user account (rgreen), add it to a user group (employees), create a captive portal SSID (example-staff), and configure a FortiAP unit. When the user attempts to browse the Internet, they will be redirected to the captive portal login page and asked to enter their username and password.

1. Enabling HTTPS authentication

Go to User & Device > Authentication Settings.

Under Protocol Support, enable Redirect HTTP Challenge to a Secure Channel (HTTPS). This will make sure that user credentials are communicated securely through the captive portal.

2. Creating the user

Go to User & Device > User Definition and create a Local user (rgreen).

Create additional users if needed, and assign any authentication methods.

3. Creating the user group

Go to User & Device > User Groups and create a user group (employees).

Add rgreen to the group.

4. Creating the SSID

Go to WiFi & Switch Controller > SSID and configure the wireless network.
Some FortiGate models may show the GUI path as WiFi & Switch Controller.

Enter an Interface Name (example-wifi) and IP/Network Mask.

An address range under DHCP Server will be automatically configured.

Under WiFi Settings, enter an SSID name (example-staff), set Security Mode to Captive Portal, and add the employees user group.

5. Creating the security policy

Go to Policy & Objects > Addresses and create a new address for the SSID (example-wifi-net).

Set Subnet/IP Range to the same range set on the DHCP server in the previous step.

Set Interface to the SSID interface.

Go to Policy & Objects > IPv4 Policy and create a new policy for WiFi users to connect to the Internet.

Add both the example-wifi-net address and employees user group to Source.

6. Connecting and authorizing the FortiAP

Go to Network > Interfaces and edit an available interface.

Under Address, set Addressing mode to Dedicated to Extension Device and assign it an IP address.

Connect the FortiAP unit to the configured interface, then go to WiFi & Switch Controller > Managed FortiAPs.

The FortiAP is listed, but its State shows a greyed-out question mark — this is because it is waiting for authorization.

Highlight the FortiAP and select Authorize.

The question mark is now replaced by a red down-arrow — this is because it is authorized, but still offline.

Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile.

For each radio, enable Radio Resource Provision and select your SSID.

Go back to WiFi & Switch Controller > Managed FortiAPs to verify that the FortiAP unit is online.

7. Results

When a user attempts to connect to the wireless network, they will be redirected to the captive portal login screen.

Members of the employees group must enter their Username and Password. The user will then be redirected to the URL originally requested.

On the FortiGate, go to Monitor > WiFi Client Monitor to verify that the user is authenticated.

Captive portals

A captive portal is a convenient way to authenticate web users on wired or WiFi networks.

This section includes the following topics:

Introduction

You can authenticate your users on a web page that requests the user’s name and password. Until the user authenticates successfully, the authentication page is returned in response to any HTTP request. This is called a captive portal.

After successful authentication, the user accesses the requested URL and can access other web resources, as permitted by security policies. Optionally, the captive portal itself can allow web access to only the members of specified user group.

The captive portal can be hosted on the FortiGate unit or on an external authentication server. You can configure captive portal authentication on any network interface, including WiFi and VLAN interfaces.

When a captive portal is configured on a WiFi interface, the access point initially appears open. The wireless client can connect to the access point with no security credentials, but sees only the captive portal authentication page.

WiFi captive portal types:

  • Authentication — until the user enters valid credentials, no communication beyond the AP is permitted.
  • Disclaimer + Authentication — immediately after successful authentication, the portal presents the disclaimer page—an acceptable use policy or other legal statement—to which the user must agree before proceeding.
  • Disclaimer Only — the portal presents the disclaimer page—an acceptable use policy or other legal statement—to which the user must agree before proceeding. The authentication page is not presented.
  • Email Collection — the portal presents a page requesting the user’s email address, for the purpose of contacting the person in future. This is often used by businesses who provide free WiFi access to their customers. The authentication page is not presented.
  • MAC Bypass — when clients are authenticated against their bridged SSID and their MAC addresses are known, they are redirected to the external captive portal.

Configuration

Captive portals are configured on network interfaces. A WiFi interface does not exist until the WiFi SSID is created. You can configure a WiFi captive portal at the time that you create the SSID. Afterwards, the captive portal settings will also be available by editing the WiFi network interface in System > Network > Interfaces. On a physical (wired) network interface, you edit the interface configuration in System > Network > Interfaces and set Security Mode to Captive Portal.

To configure a WiFi captive portal - GUI:
  1. Go to WiFi & Switch Controller > SSID and create your SSID.

    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

  2. Under WiFi Settings, for Security Mode, select Captive Portal.
  3. Enter the following:

    Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection. See Introduction.

    Authentication Portal

    Local - portal hosted on the FortiGate unit.

    Remote - enter FQDN or IP address of external portal.

    User Groups

    Select permitted user groups.

    Exempt Sources

    Exempt Destinations/Services

    Select exempt lists whose members will not be subject to captive portal authentication.

    Redirect after Captive Portal

    Select whether to have authenticated users navigate to their originally requested URL or be redirected to another/specific URL.

  4. Select OK.
To configure an SSID with external-web enabled - CLI:

config wireless-controller vap

edit "web-ext"

set vdom "root"

set ssid "web-ext"

set security captive-portal

set selected-usergroups "qnap“

set security-exempt-list "wifi"

set security-redirect-url “ http://www.fortinet.com”

set intra-vap-privacy enable

set local-switching disable

set external-web "192.168.234.51/portal.php"

next

end

Note that the external-web entry is the URL of the external authentication web server. When this entry is not set, the FortiGate will use the local web server hosting the local login/splash page.

The external web URL is not explicitly set with HTTP/HTTPS - FortiGate uses the auth-secure-http entry under config user setting.

Exemption from the captive portal

A captive portal requires all users on the interface to authenticate. But some devices are not able to authenticate. You can create an exemption list of these devices. For example, a printer might need to access the Internet for firmware upgrades. Using the CLI, you can create an exemption list to exempt all printers from authentication.

config user security-exempt-list

edit r_exempt

config rule

edit <id>

set devices printer

end

end

Furthermore, a walled garden firewall policy can be created:

config firewall policy

edit <id>

set captive-portal-exempt enable

...

next

end

MAC Bypass for captive portal

It is possible to provide a MAC address bypass for authenticated clients.When clients are authenticated with bridged SSID and their MAC addresses are known, they are redirected to the External Captive Portal.

A new portal type has been added, under config wireless-controller vap, to provide successful MAC authentication Captive Portal functionality.

Syntax

config wireless-controller vap

edit {name}

set portal-type {cmcc-macauth}

next

end

MAC-auth-bypass for the captive-portal SSID

Captive-portal SSID supports MAC-auth-bypass. If a client's MAC can be authenticated from local-user or RADIUS, then the client can bypass firewall authentication directly.

config wireless-controller vap

edit <name>

set security captive-portal

set MAC-auth-bypass {enable | disable}

next

end

Customization of captive portal pages

These pages are defined in replacement messages. Defaults are provided. In the GUI, you can modify the default messages in the SSID configuration by selecting Customize Portal Messages. Each SSID can have its own unique portal content.

The captive portal contains the following default web pages:

  • Login page—requests user credentials

Typical modifications for this page would be to change the logo and modify some of the text.

You can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters.

There is an exception to this rule. The line “Please enter your credentials to continue” is provided by the %%QUESTION%% tag. You can replace this tag with text of your choice. Except for this item, you should not remove any tags because they may carry information that the FortiGate unit needs.

  • Login failed page—reports that the entered credentials were incorrect and enables the user to try again.

The Login failed page is similar to the Login page. It even contains the same login form. You can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters.

There is an exception to this rule. The line “Firewall authentication failed. Please try again.” is provided by the %%FAILED_MESSAGE%% tag. You can replace this tag with text of your choice. Except for this item, you should not remove any tags because they may carry information that the FortiGate unit needs.

  • Disclaimer page—is a statement of the legal responsibilities of the user and the host organization to which the user must agree before proceeding.(WiFi or SSL VPN only)

  • Declined disclaimer page—is displayed if the user does not agree to the statement on the Disclaimer page. Access is denied until the user agrees to the disclaimer.

Changing images in portal messages

You can replace the default Fortinet logo with your organization’s logo. First, import the logo file into the FortiGate unit and then modify the Login page code to reference your file.

To import a logo file:
  1. Go to System > Replacement Messages and select Manage Images.
  2. Select Create New.
  3. Enter a Name for the logo and select the appropriate Content Type.
    The file must not exceed 24 Kilo bytes.
  4. Select Browse, find your logo file and then select Open.
  5. Select OK.
To specify the new logo in the replacement message:
  1. Go to Network > Interfaces and edit the interface.
    The Security Mode must be Captive Portal.
  2. Select the portal message to edit.
    • In SSL VPN or WiFi interfaces, in Customize Portal Messages click the link to the portal messages that you want to edit.
    • In other interfaces, make sure that Customize Portal Messages is selected, select the adjacent Edit icon, then select the message that you want to edit.
  3. In the HTML message text, find the %%IMAGE tag.
    By default it specifies the Fortinet logo: %%IMAGE:logo_fw_auth%%
  4. Change the image name to the one you provided for your logo.
    The tag should now read, for example, %%IMAGE:mylogo%%
  5. Select Save.
  6. Select OK.

Modifying text in portal messages

Generally, you can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters. You should not remove any tags because they may carry information that the FortiGate unit needs. See the preceding section for any exceptions to this rule for particular pages.

To modify portal page text
  1. Go to System > Network > Interfaces and edit the interface.
    The SSID Security Mode must be Captive Portal.
  2. Select the portal message to edit.
    • In SSL VPN or WiFi interfaces, in Customize Portal Messages click the link to the portal messages that you want to edit.
    • In other interfaces, make sure that Customize Portal Messages is selected, select the adjacent Edit icon, then select the message that you want to edit.
  3. Edit the HTML message text, then select Save.
  4. Select OK.

Configuring disclaimer page for ethernet interface captive portals

While you can customize a disclaimer page for captive portals that connect via WiFi, the same can be done for wired connections. However, this can only be configured on the CLI Console, and only without configuring user groups.

When configuring a captive portal through the CLI, you may set security-groups to a specific user group. The result of this configuration will show an authentication form to users who wish to log in to the captive portal—not a disclaimer page. If you do not set any security-groups in your configuration, an "Allow all" status will be in effect, and the disclaimer page will be displayed for users.

The example CLI configuration below shows setting up a captive portal interface without setting security-groups, resulting in a disclaimer page for users:

config system interface

edit "port1"

set vdom "root"

set ip 172.16.101.1 255.255.255.0

set allowaccess ping https ssh snmp http

set type physical

set explicit-web-proxy enable

set alias "LAN"

set security-mode captive-portal

set snmp-index 1

next

end

Roaming support

Client devices can maintain captive portal authentication as they roam across different APs. By maintaining a consistent authentication, uninterrupted access to latency sensitive applications such as VoIP is ensured.

The Cloud will push a random per-AP Network encryption key to the AP. The key is 32 bytes in length, and is used in captive portal fast roaming. All APs of an AP Network will use the same encryption key. This key is randomly generated, and will be updated daily.

Session timeout interval for captive portal

The following syntax can be set to configure a session timeout interval in seconds for Captive Portal users. Set the range between 0 - 864000 (or no timeout to ten days). The default is set to 0.

note icon

This command is only available when local-standalone is set to enable, security is set to captive-portal, and then portal-type is set to either cmcc or cmcc-macauth.

Syntax

config wireless-controller vap

edit <name>

...

set captive-portal-session-timeout-interval <seconds>

next

end

Configuration example for the captive portal WiFi access control

In this scenario, you will configure the FortiGate for captive portal access so users can log on to your WiFi network.

You will create a user account (rgreen), add it to a user group (employees), create a captive portal SSID (example-staff), and configure a FortiAP unit. When the user attempts to browse the Internet, they will be redirected to the captive portal login page and asked to enter their username and password.

1. Enabling HTTPS authentication

Go to User & Device > Authentication Settings.

Under Protocol Support, enable Redirect HTTP Challenge to a Secure Channel (HTTPS). This will make sure that user credentials are communicated securely through the captive portal.

2. Creating the user

Go to User & Device > User Definition and create a Local user (rgreen).

Create additional users if needed, and assign any authentication methods.

3. Creating the user group

Go to User & Device > User Groups and create a user group (employees).

Add rgreen to the group.

4. Creating the SSID

Go to WiFi & Switch Controller > SSID and configure the wireless network.
Some FortiGate models may show the GUI path as WiFi & Switch Controller.

Enter an Interface Name (example-wifi) and IP/Network Mask.

An address range under DHCP Server will be automatically configured.

Under WiFi Settings, enter an SSID name (example-staff), set Security Mode to Captive Portal, and add the employees user group.

5. Creating the security policy

Go to Policy & Objects > Addresses and create a new address for the SSID (example-wifi-net).

Set Subnet/IP Range to the same range set on the DHCP server in the previous step.

Set Interface to the SSID interface.

Go to Policy & Objects > IPv4 Policy and create a new policy for WiFi users to connect to the Internet.

Add both the example-wifi-net address and employees user group to Source.

6. Connecting and authorizing the FortiAP

Go to Network > Interfaces and edit an available interface.

Under Address, set Addressing mode to Dedicated to Extension Device and assign it an IP address.

Connect the FortiAP unit to the configured interface, then go to WiFi & Switch Controller > Managed FortiAPs.

The FortiAP is listed, but its State shows a greyed-out question mark — this is because it is waiting for authorization.

Highlight the FortiAP and select Authorize.

The question mark is now replaced by a red down-arrow — this is because it is authorized, but still offline.

Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile.

For each radio, enable Radio Resource Provision and select your SSID.

Go back to WiFi & Switch Controller > Managed FortiAPs to verify that the FortiAP unit is online.

7. Results

When a user attempts to connect to the wireless network, they will be redirected to the captive portal login screen.

Members of the employees group must enter their Username and Password. The user will then be redirected to the URL originally requested.

On the FortiGate, go to Monitor > WiFi Client Monitor to verify that the user is authenticated.