Skip to content

Set Up a Captive Portal

A captive portal intercepts a client's first HTTP request and redirects to a login/agreement page. Common for guest Wi-Fi (must accept terms of use) or paid Wi-Fi (must enter voucher code).

Portal Options

  • FortiGate-Hosted — FortiGate serves the login page directly. Easiest.
  • External Portal — redirect to your own portal (e.g. WordPress, Mikrotik UserManager, ExpressFi). More control but requires external infrastructure.
  • Disclaimer Only — just a "click to accept" page; no actual login.

Before You Start

  • An SSID configured (see Create an SSID) with security mode = Captive Portal.
  • User group for guest accounts OR a static disclaimer-only flow.
  • For external portal: your portal's URL and any required keys.

Steps

Built-in FortiGate Captive Portal

  1. WiFi & Switch Controller → SSIDs → open your guest SSID.
  2. Security Mode = Captive Portal.
  3. Portal Type:
    • Authentication — username/password.
    • Disclaimer + Authentication — terms-of-use + login.
    • Disclaimer Only — just click-to-accept.
  4. User Groups — which users.
  5. Authentication PortalLocal (FortiGate-hosted).
  6. Optional: Override Authentication Portal — pick a custom replacement message / theme.
  7. OK.

External Portal

  1. Security Mode = Captive Portal.
  2. Authentication PortalExternal.
  3. Portal URL — your portal's URL (e.g. https://portal.example.com/login).
  4. FortiGate redirects unauthorized clients with parameters in the URL (MAC, IP, etc.).
  5. Your portal authenticates and redirects back to a "success" URL via the FortiGate's API.

This requires integration code on the portal side.

Custom replacement messages

To customize the FortiGate-hosted page (logo, colors, text):

  1. System → Replacement Messages.
  2. Find Captive Portal section.
  3. Edit HTML/CSS of disclaimer.htm, login.htm, etc.

📸 Screenshot needed

Captive portal SSID config + an example of the rendered FortiGate login page on a phone browser.

CLI Equivalent

config wireless-controller vap
edit "guest-wifi-ssid"
    set security captive-portal
    set selected-usergroups "Guest-Users"
    set portal-type auth
next
end

Verify

Connect a phone/laptop to the guest SSID. Open a browser → should redirect to portal. Authenticate → should pass through to internet.

Common Issues

  • No redirect / direct internet access. Firewall policy is open without portal. The policy must require authentication.
  • HTTPS sites don't redirect to portal. Captive portal can only intercept HTTP. Modern devices try HTTP first to detect captive portals (captive.apple.com, connectivitycheck.gstatic.com); FortiGate intercepts these and redirects. If they fail, no portal.
  • External portal doesn't work. Callback URL wrong, or HMAC validation failing. Check external portal logs.
  • Browser keeps showing portal page. Cookie / session issue. Clear cookies, reconnect.