Captive portal WiFi access control


In this example, your employees can log on to your Wi-Fi network through a captive portal.

Captive portals are often used for public Wi-Fi networks where you want Wi-Fi users to respond to a disclaimer. Captive portals can also be used to provide unlimited access to open Wi-Fi networks.

As shown in this example, captive portals can also be used as the authentication method for restricting access to a wireless network. Some users may find it more intuitive to add their account information to a captive portal web page instead of a entering their user name and password into a wireless network configuration.

1. Create user accounts

Go to User & Device > User > User Definition and create a Local user.

Create additional users as needed. You can use any authentication method.

2. Create a user group

Go to User & Device > User > User Groups.

Create a user group for employees and add the new user(s) to the group.

3. Create the SSID

Go to WiFi Controller > WiFi Network > SSID and configure your wireless network.
Configure DHCP addressing for clients.
Configure Captive Portal authentication using the employees user group.

4. Create the security policy

Create an address for your SSID, using the same IP range that was set on the DHCP server.
Go to Policy & Objects > Policy > IPv4 and create a policy allowing WiFi users to connect to the Internet. Select the employees user group as permitted Source Users.

5. Connect and authorize the FortiAP unit

Go to System > Network > Interface. Configure an interface dedicated to extension devices and assign it an IP address. 5a-interface

Connect the FortiAP unit to the interface and go to WiFi Controller > Managed Access Points > Managed FortiAPs.

The FortiAP is listed, with a yellow question mark beside it because the device is not authorized.

Highlight the FortiAP unit on the list and select Authorize. 5c-preauth
A grey check mark is now shown beside the FortiAP, showing that it is authorized but not yet online. 5c-auth

Go to WiFi Controller > WiFi Network > FortiAP Profiles and edit the profile. For each radio:

Enable Radio Resource Provision.

Select your SSID.



The user’s device shows the WiFi network as “open” and associates with it without requesting credentials. The first time that a wireless user attempts to use a web browser, the captive portal login screen is displayed. Users who are members of the employees group can log on using their username and password and proceed to access the wireless network.


Go to WiFi Controller > Monitor > Client Monitor to see connected users.

For further reading, check out Captive portals in the FortiOS 5.2 Handbook.

Jonathan Coles

Jonathan Coles

Technical Writer at Fortinet
Jonathan Coles is part of the FortiOS Technical Documentation team in Ottawa. He has a B.A. in English from the University of Waterloo and an Electronics Technologist diploma from Conestoga College. Long ago at another company he convinced a documentation manager that he could write. After writing about telephone PBXs, text search software, cell tower planning software, and some less memorable things, he joined Fortinet around the time that FortiOS 3.0 was released.
Jonathan Coles

Latest posts by Jonathan Coles (see all)

  • Was this helpful?
  • Yes   No
The FortiAP may not appear for a minute or two.
  • Andrew McNeil

    Why can we not do email collection in this 5.6?

    • Victoria Martin

      Hi Andrew,

      You can use the email collection Captive Portal in FortiOS 5.6 by setting an interface’s Security Mode to Captive Portal and then enabling the option to Customize Portal Message. A menu will open on the right that shows the various messages that are available, including Email Collection.

  • Hitesh

    Hi All,

    I want to know I am using fortigate 600D and fortiauthenicator in my network.I have made one group in forti-authenicator and under this group 150 users are created

    But my concern is through 1 user I can access more than 10 devices.My concern is How to restrict the no. of users for the same.


    is there a way where i can create a group that can just bypass or does not have to see the authentication portal ?

    • Morlon

      Yes you can set the group under the LAN interface

  • Erkan Büyükbayraktaroğlu

    Hello there ;

    Can we perform sms verification on the authentication page?

    • Victoria Martin

      Yes, this can be added. We don’t have a recipe specifically for SMS two-factor authentication for Captive Portal, but there is a recipe when it is used for SSL VPN authentication that should be helpful:

      • Erkan Büyükbayraktaroğlu

        Thank you for feedback. How can I edit the captive portal page. Because I will put company logo and information in this page.

  • Hi thanks for tutorial,

    whether it can be one user on fortinet to multiple devices wifi? i have meeting rom, and i can create a single
    for meeting room can user multiple device in meeting room

    plase help me 🙂

    • Victoria Martin

      Hi Zurais,

      By default, a FortiGate allows local users an unlimited number of concurrent logins, so the example you mentioned would be allowed.

      If you wish to limit how many times a user can be logged in on multiple devices, you need to use the CLI. For more information about doing this, check out our new CLI Portal: The command for concurrent logins is the last one listed on this page.

      • Page Not Found 🙁
        i mean one user account login simultaneously on different devices, it’s possible ?

        • Victoria Martin

          The link works for me, so I’m not sure why the page won’t appear for you.

          The behaviour you are describing is the default, so yes it is possible without any additional configuration from what is shown in the recipe.

  • Dinusha Madusanka Chandrasingh

    after renaming user name in AD . Is fortigate able to change old user name automatically or should we delete previous username.

    • Adam Bristow

      Hello Dinusha, thanks for your question.

      The answer is similar, depending on your setup:

      – If users on the AD server have not been imported to the FortiGate, then the FortiGate is only referencing the AD server when a request is made (i.e. when the user attempts to log in). In this case, the username can be changed on the AD server, and the user should be made aware of the change.

      – If users on the AD server have been imported into the FortiGate, and users are now stored on and being referenced from the FortiGate, then the user still needs to be made aware of the change, but no further changes need to be made (providing that username requests only occur from the FortiGate, not the AD server, as they will not match).

      I hope this is helpful!


      • Dinusha Madusanka Chandrasingh

        thank you Bristow, I checked with firewall problem was at the AD they still didn’t change account ID from their end. fortigate showing his ID as example23 but his real ID should be example22. but AD end they were not change.So fortigate able update automatically.

  • Lizes1

    Bow time is for the wife in the environment. People us eat for their net searching or work. This wig if is now necessary and part and parcel for the life spending. People feel uncomfortable if they did not find such facility in their area.

  • Alex Morales

    Hi Jonathan, thanks for the input,

    As he edited the captive portal? to change the image and text that comes by default

    Thank you

    Alex Morales

    • Adam Bristow

      Hello Alex,

      You can change the image and text for the Captive Portal logon by going to System > Replacement Messages. From here, you can make changes to a variey of authentication settings, including Login Page.

      I hope this is helpful!


      • Alex Morales

        Excellent I was very useful, thanks for the help

  • Jo

    thanks ! it works well but i have now a certificate problem
    because my certificate verify a fqdn adress and not a ip address
    how can i define a fqdn adress for my captive portal ?
    based on you example, i would like my browser show me… instead if…
    thank you

    • jcoles

      You can configure the FQDN for the portal in the CLI like this:

      config firewall auth-portal
      set portal-addr “”