Captive portal WiFi access control

In this example, your employees can log on to your Wi-Fi network through a captive portal.

Captive portals are often used for public Wi-Fi networks where you want Wi-Fi users to respond to a disclaimer. Captive portals can also be used to provide unlimited access to open Wi-Fi networks.

As shown in this example, captive portals can also be used as the authentication method for restricting access to a wireless network. Some users may find it more intuitive to add their account information to a captive portal web page instead of a entering their user name and password into a wireless network configuration.

1. Create user accounts

Go to User & Device > User > User Definition and create a Local user.

Create additional users as needed. You can use any authentication method.

2. Create a user group

Go to User & Device > User > User Groups.

Create a user group for employees and add the new user(s) to the group.

3. Create the SSID

Go to WiFi Controller > WiFi Network > SSID and configure your wireless network.
Configure DHCP addressing for clients.
Configure Captive Portal authentication using the employees user group.

4. Create the security policy

Create an address for your SSID, using the same IP range that was set on the DHCP server.
Go to Policy & Objects > Policy > IPv4 and create a policy allowing WiFi users to connect to the Internet. Select the employees user group as permitted Source Users.

5. Connect and authorize the FortiAP unit

Go to System > Network > Interface. Configure an interface dedicated to extension devices and assign it an IP address. 5a-interface

Connect the FortiAP unit to the interface and go to WiFi Controller > Managed Access Points > Managed FortiAPs.

The FortiAP is listed, with a yellow question mark beside it because the device is not authorized.

5b-discover
Highlight the FortiAP unit on the list and select Authorize. 5c-preauth
A grey check mark is now shown beside the FortiAP, showing that it is authorized but not yet online. 5c-auth

Go to WiFi Controller > WiFi Network > FortiAP Profiles and edit the profile. For each radio:

Enable Radio Resource Provision.

Select your SSID.

5d-profile

Results

The user’s device shows the WiFi network as “open” and associates with it without requesting credentials. The first time that a wireless user attempts to use a web browser, the captive portal login screen is displayed. Users who are members of the employees group can log on using their username and password and proceed to access the wireless network.

result-authscreen

Go to WiFi Controller > Monitor > Client Monitor to see connected users.

For further reading, check out Captive portals in the FortiOS 5.2 Handbook.

Jonathan Coles

Jonathan Coles

Technical Writer at Fortinet
Jonathan Coles is part of the FortiOS Technical Documentation team in Ottawa. He has a B.A. in English from the University of Waterloo and an Electronics Technologist diploma from Conestoga College. Long ago at another company he convinced a documentation manager that he could write. After writing about telephone PBXs, text search software, cell tower planning software, and some less memorable things, he joined Fortinet around the time that FortiOS 3.0 was released.
Jonathan Coles

Latest posts by Jonathan Coles (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin
The FortiAP may not appear for a minute or two.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Jo

    hi
    thanks ! it works well but i have now a certificate problem
    because my certificate verify a fqdn adress and not a ip address
    how can i define a fqdn adress for my captive portal ?
    based on you example, i would like my browser show me wifi.example.org:1000/… instead if 10.10.12.1:1000/…
    thank you
    Jo.

    • jcoles

      You can configure the FQDN for the portal in the CLI like this:

      config firewall auth-portal
      set portal-addr “wifi.example.org”
      end

  • Alex Morales

    Hi Jonathan, thanks for the input,

    As he edited the captive portal? to change the image and text that comes by default

    Thank you
    Atte.

    Alex Morales
    Venezuela

    • Adam Bristow

      Hello Alex,

      You can change the image and text for the Captive Portal logon by going to System > Replacement Messages. From here, you can make changes to a variey of authentication settings, including Login Page.

      I hope this is helpful!

      Adam

      • Alex Morales

        Excellent I was very useful, thanks for the help

  • Lizes1

    Bow time is for the wife in the environment. People us eat for their net searching or work. This wig if is now necessary and part and parcel for the life spending. People feel uncomfortable if they did not find such facility in their area.

  • Dinusha Madusanka Chandrasingh

    after renaming user name in AD . Is fortigate able to change old user name automatically or should we delete previous username.

    • Adam Bristow

      Hello Dinusha, thanks for your question.

      The answer is similar, depending on your setup:

      – If users on the AD server have not been imported to the FortiGate, then the FortiGate is only referencing the AD server when a request is made (i.e. when the user attempts to log in). In this case, the username can be changed on the AD server, and the user should be made aware of the change.

      – If users on the AD server have been imported into the FortiGate, and users are now stored on and being referenced from the FortiGate, then the user still needs to be made aware of the change, but no further changes need to be made (providing that username requests only occur from the FortiGate, not the AD server, as they will not match).

      I hope this is helpful!

      Adam

      • Dinusha Madusanka Chandrasingh

        thank you Bristow, I checked with firewall problem was at the AD they still didn’t change account ID from their end. fortigate showing his ID as example23 but his real ID should be example22. but AD end they were not change.So fortigate able update automatically.

  • Hi thanks for tutorial,

    whether it can be one user on fortinet to multiple devices wifi? i have meeting rom, and i can create a single
    for meeting room can user multiple device in meeting room

    plase help me 🙂

    • Victoria Martin

      Hi Zurais,

      By default, a FortiGate allows local users an unlimited number of concurrent logins, so the example you mentioned would be allowed.

      If you wish to limit how many times a user can be logged in on multiple devices, you need to use the CLI. For more information about doing this, check out our new CLI Portal: http://cli.fortinet.com/config-user-local-54/ The command for concurrent logins is the last one listed on this page.

      • Page Not Found 🙁
        i mean one user account login simultaneously on different devices, it’s possible ?

        • Victoria Martin

          The link works for me, so I’m not sure why the page won’t appear for you.

          The behaviour you are describing is the default, so yes it is possible without any additional configuration from what is shown in the recipe.

          • Thanks Victoria, it’s working in “auth-concurrent-override 10” for 1 user simultan login multiply devices. But this applies to all users,
            This can be applied only 1 account user?

          • Victoria Martin

            The command I linked you to earlier is for the configuration of an individual user, so using it to allow concurrent logins should only affect the account of a single user.

            Here is the link again, let me know if you are still unable to connect: http://cli.fortinet.com/config-user-local-54/