Fortinet black logo

Administration Guide

Captive portals

Captive portals

A captive portal is used to enforce authentication before web resources can be accessed. Until a user authenticates successfully, any HTTP request returns the authentication page. After successfully authenticating, a user can access the requested URL and other web resources, as permitted by policies. The captive portal can also be configured to only allow access to members of specific user groups.

Captive portals can be hosted on the FortiGate or an external authentication server. They can be configured on any network interface, including VLAN and WiFi interfaces. On a WiFi interface, the access point appears open, and the client can connect to access point with no security credentials, but then sees the captive portal authentication page. See Captive Portal Security, in the FortiWiFi and FortiAP Configuration Guide for more information.

All users on the interface are required to authenticate. Exemption lists can be created for devices that are unable to authenticate, such as a printer that requires access to the internet for firmware upgrades.

To configure a captive portal in the GUI:
  1. Go to Network > Interfaces and edit the interface that the users connect to. The interface Role must be LAN or Undefined.

  2. Enable Security mode.

  3. Configure the following settings, then click OK.

    Authentication Portal

    Configure the location of the portal:

    • Local: the portal is hosted on the FortiGate unit.

    • External: enter the FQDN or IP address of external portal.

    User access

    Select if the portal applies to all users, or selected user groups:

    • Restricted to Groups: restrict access to the selected user groups. The Login page is shown when a user tried to log in to the captive portal.

    • Allow all: all users can log in, but access will be defined by relevant policies. The Disclaimer page is shown when a user tried to log in to the captive portal.

    Customize portal messages

    Enable to use custom portal pages, then select a replacement message group. See Captive portals.

    Exempt sources

    Select sources that are exempt from the captive portal.

    Each exemption is added as a rule in an automatically generated exemption list.

    Exempt destinations/services

    Select destinations and services that are exempt from the captive portal.

    Each exemption is added as a rule in an automatically generated exemption list.

    Redirect after Captive Portal

    Configure website redirection after successful captive portal authentication:

    • Original Request: redirect to the initially browsed to URL .

    • Specific URL: redirect to the specified URL.

To configure a captive portal in the CLI:
  1. If required, create a security exemption list:

    config user security-exempt-list
        edit <list>
            config rule
                edit 1
                    set srcaddr <source(s)>
                    set dstaddr <source(s)>
                    set service <service(s)>
                next
                edit 2
                    set srcaddr <source(s)>
                    set dstaddr <source(s)>
                    set service <service(s)>
                next
            end
        next
    end
  2. Configure captive portal authentication on the interface:

    config system interface
        edit <interface>
            set security-mode {none | captive-portal}
            set security-external-web <string>
            set replacemsg-override-group <group>
            set security-redirect-url <string>
            set security-exempt-list <list>
            set security-groups <group(s)>
        next
    end

Custom captive portal pages

Portal pages are HTML files that can be customized to meet user requirements.

Most of the text and some of the HTML in the message can be changed. Tags are enclosed by double percent signs (%%); most of them should not be changed because they might carry information that the FortiGate unit needs. For information about customizing replacement messages, see Modifying replacement messages.

The images on the pages can be replaced. For example, your organization's logo can replace the Fortinet logo. For information about uploading and using new images in replacement messages, see Replacement message images.

The following pages are used by captive portals:

Login Page

Requests user credentials.

The %%QUESTION%% tag provides the Please enter the required information to continue. text.

This page is shown to users that are trying to log in when User access is set to Restricted to Groups.

Login Failed Page

Reports that incorrect credentials were entered, and requests correct credentials.

The %%FAILED_MESSAGE%% tag provides the Firewall authentication failed. Please try again. text.

Disclaimer Page

A statement of the legal responsibilities of the user and the host organization that the user must agree to before proceeding. This page is shown users that are trying to log in when User access is set to Allow all.

Declined Disclaimer Page

Shown if the user does not agree to the statement on the Disclaimer page. Access is denied until the user agrees to the disclaimer.

Captive portals

A captive portal is used to enforce authentication before web resources can be accessed. Until a user authenticates successfully, any HTTP request returns the authentication page. After successfully authenticating, a user can access the requested URL and other web resources, as permitted by policies. The captive portal can also be configured to only allow access to members of specific user groups.

Captive portals can be hosted on the FortiGate or an external authentication server. They can be configured on any network interface, including VLAN and WiFi interfaces. On a WiFi interface, the access point appears open, and the client can connect to access point with no security credentials, but then sees the captive portal authentication page. See Captive Portal Security, in the FortiWiFi and FortiAP Configuration Guide for more information.

All users on the interface are required to authenticate. Exemption lists can be created for devices that are unable to authenticate, such as a printer that requires access to the internet for firmware upgrades.

To configure a captive portal in the GUI:
  1. Go to Network > Interfaces and edit the interface that the users connect to. The interface Role must be LAN or Undefined.

  2. Enable Security mode.

  3. Configure the following settings, then click OK.

    Authentication Portal

    Configure the location of the portal:

    • Local: the portal is hosted on the FortiGate unit.

    • External: enter the FQDN or IP address of external portal.

    User access

    Select if the portal applies to all users, or selected user groups:

    • Restricted to Groups: restrict access to the selected user groups. The Login page is shown when a user tried to log in to the captive portal.

    • Allow all: all users can log in, but access will be defined by relevant policies. The Disclaimer page is shown when a user tried to log in to the captive portal.

    Customize portal messages

    Enable to use custom portal pages, then select a replacement message group. See Captive portals.

    Exempt sources

    Select sources that are exempt from the captive portal.

    Each exemption is added as a rule in an automatically generated exemption list.

    Exempt destinations/services

    Select destinations and services that are exempt from the captive portal.

    Each exemption is added as a rule in an automatically generated exemption list.

    Redirect after Captive Portal

    Configure website redirection after successful captive portal authentication:

    • Original Request: redirect to the initially browsed to URL .

    • Specific URL: redirect to the specified URL.

To configure a captive portal in the CLI:
  1. If required, create a security exemption list:

    config user security-exempt-list
        edit <list>
            config rule
                edit 1
                    set srcaddr <source(s)>
                    set dstaddr <source(s)>
                    set service <service(s)>
                next
                edit 2
                    set srcaddr <source(s)>
                    set dstaddr <source(s)>
                    set service <service(s)>
                next
            end
        next
    end
  2. Configure captive portal authentication on the interface:

    config system interface
        edit <interface>
            set security-mode {none | captive-portal}
            set security-external-web <string>
            set replacemsg-override-group <group>
            set security-redirect-url <string>
            set security-exempt-list <list>
            set security-groups <group(s)>
        next
    end

Custom captive portal pages

Portal pages are HTML files that can be customized to meet user requirements.

Most of the text and some of the HTML in the message can be changed. Tags are enclosed by double percent signs (%%); most of them should not be changed because they might carry information that the FortiGate unit needs. For information about customizing replacement messages, see Modifying replacement messages.

The images on the pages can be replaced. For example, your organization's logo can replace the Fortinet logo. For information about uploading and using new images in replacement messages, see Replacement message images.

The following pages are used by captive portals:

Login Page

Requests user credentials.

The %%QUESTION%% tag provides the Please enter the required information to continue. text.

This page is shown to users that are trying to log in when User access is set to Restricted to Groups.

Login Failed Page

Reports that incorrect credentials were entered, and requests correct credentials.

The %%FAILED_MESSAGE%% tag provides the Firewall authentication failed. Please try again. text.

Disclaimer Page

A statement of the legal responsibilities of the user and the host organization that the user must agree to before proceeding. This page is shown users that are trying to log in when User access is set to Allow all.

Declined Disclaimer Page

Shown if the user does not agree to the statement on the Disclaimer page. Access is denied until the user agrees to the disclaimer.