Captive portal WiFi access control


In this example, your employees can log on to your Wi-Fi network through a captive portal.

Captive portals are often used for public Wi-Fi networks where you want Wi-Fi users to respond to a disclaimer. Captive portals can also be used to provide unlimited access to open Wi-Fi networks.

As shown in this example, captive portals can also be used as the authentication method for restricting access to a wireless network. Some users may find it more intuitive to add their account information to a captive portal web page instead of a entering their user name and password into a wireless network configuration.

1. Create user accounts

Go to User & Device > User > User Definition and create a Local user.

Create additional users as needed. You can use any authentication method.

2. Create a user group

Go to User & Device > User > User Groups.

Create a user group for employees and add the new user(s) to the group.

3. Create the SSID

Go to WiFi Controller > WiFi Network > SSID and configure your wireless network.
Configure DHCP addressing for clients.
Configure Captive Portal authentication using the employees user group.

4. Create the security policy

Create an address for your SSID, using the same IP range that was set on the DHCP server.
Go to Policy & Objects > Policy > IPv4 and create a policy allowing WiFi users to connect to the Internet. Select the employees user group as permitted Source Users.

5. Connect and authorize the FortiAP unit

Go to System > Network > Interface. Configure an interface dedicated to extension devices and assign it an IP address. 5a-interface

Connect the FortiAP unit to the interface and go to WiFi Controller > Managed Access Points > Managed FortiAPs.

The FortiAP is listed, with a yellow question mark beside it because the device is not authorized.

Highlight the FortiAP unit on the list and select Authorize. 5c-preauth
A grey check mark is now shown beside the FortiAP, showing that it is authorized but not yet online. 5c-auth

Go to WiFi Controller > WiFi Network > FortiAP Profiles and edit the profile. For each radio:

Enable Radio Resource Provision.

Select your SSID.



The user’s device shows the WiFi network as “open” and associates with it without requesting credentials. The first time that a wireless user attempts to use a web browser, the captive portal login screen is displayed. Users who are members of the employees group can log on using their username and password and proceed to access the wireless network.


Go to WiFi Controller > Monitor > Client Monitor to see connected users.

For further reading, check out Captive portals in the FortiOS 5.2 Handbook.

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

The FortiAP may not appear for a minute or two.