Fortigate Firewall External Captive Portal with Captive WiFi

  1. Overview
  2. WiFi Hardware
  3. Fortigate Firewall External Captive Portal with Captive WiFi
This document outlines the steps required to configure an external captive portal on a FortiGate firewall. To redirect user traffic to the external captive portal.
Please note this guide is configuring the Fortigate from new, you may need to make adjustments if this is in your live environment
  • To find the relevant information visit Manage Venue > WiFi Hardware and take note of the Site ID
  • The WiFi URL will be https://getonline.captivewifi.io/guest/<site id> 
  1. Activate the Captive Portal: Enable the captive portal on the incoming interface (i.e., the interface receiving traffic that will be routed through the firewall to the internet).
  2. Configure the RADIUS Server: Set up the RADIUS server to handle user authentication.
  3. Set Up the Firewall Policy: Establish the appropriate firewall policy to allow internal traffic to access the internet
Step 1: Configuring the Incoming Traffic Interface
The incoming interface is the one connected to the clients. In our case, this is the "internal" interface, which consists of five sub-interfaces: Internal1, Internal2, Internal3, Internal4, and Internal5, as illustrated below

Next, we need to enable the captive portal on the internal interface. To do this, we must edit the interface settings, as demonstrated below:


Afterward, configure the IP addressing scheme and enable DHCP to ensure that connected clients automatically receive IP addresses, as illustrated below:



Next, we need to activate the security mode and configure the external captive portal, as depicted below:

In the external portal settings, configure the URL of the captive portal server, which in this case is at the start of this guide.
It is crucial to exempt this server URL/IP from the captive portal restrictions, allowing users to access it without any hindrances. This ensures seamless redirection to the captive portal. To implement this, enable the “Exempt destinations/services” option, then select the captive portal URL/IP along with the DNS services to ensure proper resolution.

Step No :2 Configuring the radius Server
To authenticate users via the RADIUS server, the captive portal must be configured accordingly, as shown below:

First, we need to add the RADIUS server to the FortiGate firewall. This can be done through the “User & Authentication” menu, followed by selecting “RADIUS Server,” as shown below:


Next, the credentials for the RADIUS server are entered. The RADIUS server URL is radius.captivewifi.io, and its credentials must also be

IP/NAME radius.captivewifi.io
Secret : Please speak to support@captivewifi.io to confirm this information

After entering the RADIUS server details, it is important to verify that the connectivity status with the server is OK. FortiGate will use the provided credentials to perform connectivity tests. Once these tests are successful, the RADIUS server user group can be referenced in the captive portal settings as described earlier.

Step No :3 Configuring the traffic Policy

The traffic policy should be configured to allow traffic from the incoming interface (i.e., Internal) to pass through the WAN interface, which in this case is WAN1. Additionally, enable the NAT option to translate private IP addresses into public IP addresses. This configuration can be done via the “Policy & Objects” menu, then selecting “Firewall Policy,” as shown below:

The policy can be created as shown below :

In the screenshot above, we see that traffic from the “Internal” interface is permitted to exit through the “WAN1” interface. The policy allows all services and destinations, with NAT enabled. This configuration enables users to access the internet, but they will be redirected to the captive portal server upon their initial login (which we configured in the interface settings for the “Internal” interface).


Was this article helpful?