FortiGate External Captive WiFi Portal Setup Guide

Complete Configuration Guide for IT Engineers

1. Overview

This guide provides step-by-step instructions for configuring a FortiGate firewall to work with an external captive portal for guest WiFi authentication. The configuration creates a secure, isolated guest network that routes users through a cloud-based captive portal for authentication before granting internet access.

What This Guide Covers

Creating a dedicated Guest VLAN with appropriate addressing
Configuring RADIUS authentication for the captive portal
Setting up the external captive portal redirect
Creating exempt destinations for portal functionality
Configuring the wireless SSID
Setting up firewall policies for guest traffic

2. Prerequisites

Before You Begin

Administrative access to the FortiGate firewall
FortiGate with integrated wireless controller or managed FortiAPs
Your Site ID from the Captive WiFi portal (found in WiFi Hardware section)
RADIUS shared secret (contact support via live chat or support@captivewifi.io)
Planned IP addressing scheme for the guest network

Required Server Addresses

You will need the following addresses during configuration:

Service	Address
Portal Server IP	`138.68.152.191`
Images Server IP	`5.101.109.44`
Digital Ocean Storage	`captivewifi.fra1.digitaloceanspaces.com`
Portal Domain	`getonline.captivewifi.io`
Primary RADIUS Server	`radius.captivewifi.io`
Secondary RADIUS Server	`radius2.captivewifi.io`

3. Enable Wireless Open Security

Before configuring the SSID, you must enable the Wireless Open Security feature in FortiOS.

Navigate to System > Feature Visibility
Scroll down to find Wireless Open Security
Toggle the switch to Enabled
Click Apply

Note: This feature must be enabled to allow Open security mode on wireless SSIDs, which is required for captive portal authentication.

4. Create the Guest VLAN Interface

The Guest VLAN provides network isolation for guest users and enables the captive portal functionality.

4.1 Create the VLAN Interface

Navigate to Network > Interfaces
Click Create New > Interface
Configure the following settings:

Setting	Value
Name	`Guest_Wifi`
Type	VLAN
Interface	Select your FortiLink or appropriate parent interface
VLAN ID	`172` (or your preferred VLAN ID)
Role	LAN
Addressing Mode	Manual
IP/Netmask	`172.16.1.0/255.255.248.0` (adjust to your network plan)

4.2 Configure Administrative Access

Under Administrative Access, enable the following:

☑ RADIUS Accounting (Required for captive portal session management)
☑ PING (Recommended for troubleshooting)
☑ Security Fabric Connection (If using Security Fabric)

Important: RADIUS Accounting must be enabled on the VLAN interface for the captive portal to track user sessions properly.

4.3 Configure DHCP Server

Enable DHCP Server
Configure the following:

Setting	Value
Address Range	`172.16.1.2 - 172.16.7.254` (adjust to your subnet)
Netmask	`255.255.248.0`
Default Gateway	Same as Interface IP
Lease Time	`3600` seconds

4.4 Configure DNS (Optional)

For content-filtered guest access using Cloudflare Family DNS:

Setting	Value
DNS Server	Specify
DNS Server 1	`1.1.1.3`
DNS Server 2	`1.0.0.3`

Note: Cloudflare's 1.1.1.3 and 1.0.0.3 provide family-friendly DNS filtering, blocking malware and adult content. This is optional but recommended for guest networks.

4.5 Configure Captive Portal Settings

Under the Network section of the interface:

Setting	Value
Device Detection	Enabled
Security Mode	Captive Portal
Authentication Portal	External
External Portal URL	`https://getonline.captivewifi.io/guest/<YOUR_SITE_ID>`
User Access	Restricted to Groups
User Groups	Select your Captive WiFi user group (created in Section 6)
Redirect after Captive Portal	Specific URL
Redirect URL

Important: Replace <YOUR_SITE_ID> with your actual Site ID from the Captive WiFi portal's WiFi Hardware section.
Replace your Redirect URL with the Connected Page link, that can be found on the Splash Design in the Captive WiFi Dashboard

Click OK to save the interface.

5. Configure RADIUS Servers

RADIUS servers handle the authentication between the FortiGate and the captive portal backend.

5.1 Create Primary RADIUS Server

Navigate to User & Authentication > RADIUS Servers
Click Create New
Configure the following:

Setting	Value
Name	`CaptiveWifi-Primary`
Primary Server IP/Name	`radius.captivewifi.io`
Primary Server Secret	Your RADIUS shared secret
Secondary Server IP/Name	`radius2.captivewifi.io`
Secondary Server Secret	Your RADIUS shared secret
Authentication Method	Default
NAS IP	Leave as default or set to FortiGate WAN IP

Click Test Connectivity to verify the connection
Click OK to save

Note: Contact support via live chat or support@captivewifi.io to obtain your RADIUS shared secret.

6. Create User Group

The user group links authenticated captive portal users to firewall policies.

6.1 Create the Captive WiFi User Group

Navigate to User & Authentication > User Groups
Click Create New
Configure the following:

Setting	Value
Name	`Captive_Guest_Wifi_UG`
Type	Firewall

Under Remote Groups, click Add
Select your RADIUS server (CaptiveWifi-Primary)
Set Groups to Any
Click OK to save

7. Create Address Objects

Address objects define the exempt destinations that must be accessible before authentication (for the captive portal to function).

7.1 Create Required Address Objects

Navigate to Policy & Objects > Addresses and create the following:

Portal Server IP

Setting	Value
Name	`Captive_Portal_Server`
Type	Subnet
IP/Netmask	`138.68.152.191/32`
Interface	Any

Images Server IP

Setting	Value
Name	`Captive_Wifi_Images`
Type	Subnet
IP/Netmask	`5.101.109.44/32`
Interface	Any

Digital Ocean Storage

Setting	Value
Name	`Captive_Wifi_Digital_Oceans`
Type	FQDN
FQDN	`captivewifi.fra1.digitaloceanspaces.com`
Interface	Any

Portal Domain

Setting	Value
Name	`Captive_Portal_Domain`
Type	FQDN
FQDN	`getonline.captivewifi.io`
Interface	Any

DNS (for pre-auth resolution)

Setting	Value
Name	`DNS_Servers`
Type	Subnet
IP/Netmask	`0.0.0.0/0`
Interface	Any

Note: Alternatively, create specific address objects for your DNS servers (e.g., 1.1.1.3/32 and 1.0.0.3/32) for tighter security.

7.2 Add Exempt Destinations to VLAN Interface

Return to Network > Interfaces
Edit the Guest_Wifi interface
Under Exempt Destinations/Services, add:
- Captive_Portal_Server
- Captive_Portal_Domain
- Captive_Wifi_Digital_Oceans
- Captive_Wifi_Images
- DNS_Servers (or your specific DNS address objects)
Click OK to save

8. Configure the Wireless SSID

Create the guest WiFi SSID that will be broadcast to users.

8.1 Create the SSID

Navigate to WiFi & Switch Controller > SSIDs
Click Create New > SSID
Configure the following:

Basic Settings

Setting	Value
Name	`_Guest_Free_Wifi` (or your preferred name)
Type	WiFi SSID
Traffic Mode	Bridge
SSID	`Guest Free Wifi` (the name users will see)
Broadcast SSID	Enabled

Security Mode Settings

Setting	Value
Security Mode	Open

Note: Open security is required because authentication is handled by the external captive portal, not WPA/WPA2.

Additional Settings

Setting	Value
Block Intra-SSID Traffic	Enabled
Optional VLAN ID	`172` (must match your Guest VLAN ID)
Schedule	Always

Important: Enabling "Block Intra-SSID Traffic" prevents guest users from communicating with each other, which is an important security measure for public WiFi networks.

Click OK to save.

9. Configure Firewall Policies

Firewall policies control traffic flow for guest users.

9.1 Guest to Internet Policy

This policy allows authenticated guest users to access the internet.

Navigate to Policy & Objects > Firewall Policy
Click Create New
Configure the following:

Setting	Value
Name	`Guest_to_WAN`
Incoming Interface	`Guest_Wifi`
Outgoing Interface	`wan` (your WAN interface)
Source	`all`
Destination	`all`
Schedule	Always
Service	ALL
Action	ACCEPT
NAT	Enabled

Note: If you have an existing "Any to WAN" policy, the Guest VLAN traffic will automatically be included in NAT'd outbound traffic.

9.2 Block Guest Access to Internal Networks (If Required)

If you have VPN tunnels or internal networks that should not be accessible from the guest network:

Create a new firewall policy
Configure the following:

Setting	Value
Name	`Guest_VPN_Block`
Incoming Interface	`Guest_Wifi`
Outgoing Interface	Select your VPN tunnel interfaces
Source	`all`
Destination	`all`
Schedule	Always
Service	ALL
Action	DENY
Log Violation Traffic	Enabled (recommended)

Ensure this DENY policy is placed above any ACCEPT policies in the policy list.

Important: Policy order matters in FortiGate. The DENY policy must be positioned before any ACCEPT policies that might allow the same traffic.

10. Testing the Configuration

10.1 Pre-Flight Checks

Before testing with a device, verify:

The Guest VLAN interface shows as UP in Network > Interfaces
The SSID is broadcasting (check WiFi & Switch Controller > SSIDs)
RADIUS server connectivity is successful (test from User & Authentication > RADIUS Servers)
Address objects resolve correctly (for FQDN objects, check Policy & Objects > Addresses)

10.2 End-to-End Test

Connect a test device to the guest WiFi network
Verify the device receives a DHCP address in the correct range
Open a web browser and navigate to any HTTP website
Confirm you are redirected to the captive portal login page
Complete the authentication process
Verify internet access is granted after authentication
Check FortiView > Sources or Log & Report to confirm user sessions are being tracked

10.3 Common Test Points

Test	Expected Result
DHCP Lease	IP in range 172.16.1.x (per your configuration)
Pre-auth DNS	Portal pages load correctly
Portal Redirect	Automatic redirect to `getonline.captivewifi.io`
Post-auth Internet	Full internet access
Session Tracking	User appears in active sessions

11. Troubleshooting

Portal Page Not Loading

Verify exempt destinations are correctly configured on the VLAN interface
Check that FQDN address objects are resolving (may take a few minutes after creation)
Ensure DNS is working for pre-authenticated clients
Test connectivity to portal IPs: 138.68.152.191 and 5.101.109.44

Users Not Redirected to Portal

Confirm Security Mode is set to "Captive Portal" on the VLAN interface
Verify the external portal URL is correct and includes your Site ID
Check that the SSID is tagged with the correct VLAN ID
Ensure "Wireless Open Security" feature is enabled

Authentication Failing

Test RADIUS server connectivity from the FortiGate
Verify the RADIUS shared secret is correct
Check that the user group is properly linked to the RADIUS server
Review logs in Log & Report > Events for RADIUS errors

No Internet After Authentication

Verify firewall policies allow traffic from Guest_Wifi to WAN
Check that NAT is enabled on the outbound policy
Ensure no DENY policies are blocking the traffic
Verify the user is in the correct user group

Session Not Tracking

Confirm RADIUS Accounting is enabled on the VLAN interface
Verify the RADIUS server is receiving accounting packets
Check the RADIUS server logs for session start/stop events

RADIUS Connection Failing / Port 1812 Blocked

Some FortiGate firewalls have local-in policies or implicit rules that block outbound RADIUS traffic on ports 1812 (authentication) and 1813 (accounting). If RADIUS connectivity tests fail:

Step 1: Check FortiGate Local-In Logs

Navigate to Log & Report > Local Traffic
Filter for traffic on port 1812 or 1813
Look for DENY entries related to RADIUS traffic

Alternatively, use CLI to view local traffic logs:

execute log filter category local-traffic
execute log filter field action block
execute log display

Step 2: Check Implicit Deny Logs

Navigate to Log & Report > Forward Traffic
Enable logging on implicit deny if not already enabled:

config firewall policy
    edit 0
        set logtraffic all
    next
end

Step 3: Create Local-In Policy for RADIUS (If Required)

If you identify that RADIUS traffic is being blocked by local-in policies, create an explicit allow rule:

config firewall local-in-policy
    edit 0
        set intf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set service "RADIUS"
        set schedule "always"
        set action accept
    next
end

Note: Replace wan1 with your actual WAN interface name.

Step 4: Verify RADIUS Service Object Exists

Ensure the RADIUS service object includes the correct ports:

Navigate to Policy & Objects > Services
Search for "RADIUS"
Verify it includes:
- UDP port 1812 (Authentication)
- UDP port 1813 (Accounting)

If the service doesn't exist, create it:

config firewall service custom
    edit "RADIUS"
        set protocol UDP
        set udp-portrange 1812-1813
    next
end

Step 5: Test RADIUS Connectivity via CLI

Use the built-in diagnostic commands to test RADIUS:

diagnose test authserver radius <server_name> <test_user> <test_password>

For example:

diagnose test authserver radius CaptiveWifi-Primary testuser testpass

This will show detailed connection attempts and any errors.

Step 6: Packet Capture for RADIUS Traffic

If issues persist, capture RADIUS traffic to identify where it's being blocked:

diagnose sniffer packet any "port 1812 or port 1813" 4 0 l

This captures all RADIUS traffic with verbose output. Look for:

Outgoing requests to radius.captivewifi.io
Whether responses are being received
Any connection timeouts

Press Ctrl+C to stop the capture.

Step 7: Check Upstream Firewall/ISP

If the FortiGate is behind another firewall or the ISP blocks non-standard ports:

Verify ports 1812 and 1813 UDP are permitted outbound
Some ISPs block these ports; contact your ISP if external blocking is suspected

12. Quick Reference

Key Configuration Summary

Component	Setting	Value
VLAN Interface	Name	`Guest_Wifi`
VLAN Interface	VLAN ID	`172`
VLAN Interface	Security Mode	Captive Portal
VLAN Interface	Auth Portal	External
SSID	Security Mode	Open
SSID	VLAN ID	`172`
SSID	Block Intra-SSID	Enabled
RADIUS	Primary	`radius.captivewifi.io`
RADIUS	Secondary	`radius2.captivewifi.io`
Portal URL	Format	`https://getonline.captivewifi.io/guest/<SITE_ID>`
Redirect URL	Post-auth	`https://getonline.captivewifi.io/connect`

Support Contacts

RADIUS Secret Requests: Live chat or support@captivewifi.io
Site ID Location: Captive WiFi Portal > WiFi Hardware section

Appendix A: CLI Commands Reference

For engineers who prefer CLI configuration, here are the key commands:

Create VLAN Interface

config system interface
    edit "Guest_Wifi"
        set vdom "root"
        set ip 172.16.1.1 255.255.248.0
        set allowaccess ping radius-acct
        set type vlan
        set vlanid 172
        set interface "fortilink"
        set device-identification enable
        set role lan
        set snmp-index 20
    next
end

Configure DHCP Server

config system dhcp server
    edit 1
        set interface "Guest_Wifi"
        set default-gateway 172.16.1.1
        set netmask 255.255.248.0
        set dns-server1 1.1.1.3
        set dns-server2 1.0.0.3
        config ip-range
            edit 1
                set start-ip 172.16.1.2
                set end-ip 172.16.7.254
            next
        end
    next
end

Configure RADIUS Server

config user radius
    edit "CaptiveWifi-Primary"
        set server "radius.captivewifi.io"
        set secret <YOUR_RADIUS_SECRET>
        set secondary-server "radius2.captivewifi.io"
        set secondary-secret <YOUR_RADIUS_SECRET>
    next
end

Create User Group

config user group
    edit "Captive_Guest_Wifi_UG"
        set member "CaptiveWifi-Primary"
    next
end

Configure Captive Portal on Interface

config system interface
    edit "Guest_Wifi"
        set security-mode captive-portal
        set security-redirect-url "https://getonline.captivewifi.io/guest/<YOUR_SITE_ID>"
        set security-external-web "https://getonline.captivewifi.io/guest/<YOUR_SITE_ID>"
    next
end

Document Version: 1.0
Last Updated: December 2024