A Captive Portal is a convenient way to authenticate web users either on wired or WiFi networks using an HTML (web) form that requires a username and password (active authentication).
You must first create a user group and then add a user to the group. To create a new user, go to User & Authentication > Create New.
Notice there's a
guest user created by default.
Select Local User > Next.
Type Username: cp-user > type Password: fortinet > click Next.
Leave the Two-factor Authentication disabled > click Next.
Leave the User Account Status Enabled > leave the User Group disabled.
We can't create a new User Group from here since the cp-user hasn't been created and therefore not selectable yet.
To create a new User Group, go to User & Authentication > User Groups > Create new.
Notice there's Guest-group and SSO_Guest_Users created by default.
Type a Name: CP-GROUP-1 > select Type: Firewall > click add (+) in Members > select cp-user > click Close > OK.
To enable Captive Portal, go to Network > Interfaces > select port2 > click Edit (or just double-click). This would be the port for the incoming wired traffic.
Scroll down > enable Security Mode: Captive Portal > select Authentication portal: Local > select User access: Restricted to Groups > select User groups > CP-GROUP-1 > click Close > OK.
Enable the Captive Portal Disclaimer Message via CLI (for wired users).
FG-1 # config firewall policy
FG-1 (policy) # edit 1
FG-1 (1) # set disclaimer
enable Enable user authentication disclaimer.
disable Disable user authentication disclaimer.
FG-1 (1) # set disclaimer enable
FG-1 (1) # end
I tested the Captive Portal by accessing the website training.fortinet.com from 172.16.1.100 (Windows 7 VM).
You'll be redirected to FortiGate Authentication web page. Type the username: cp-user > type password: fortinet > click Continue.
Once login, a Firewall Disclaimer is presented. Click Yes, I agree to continue.
To view the Firewall User/Captive Portal logs, go to Log & Report > Events > User Events.
Notice the User Events for cp-user.
Select a specific log > click Details.
You can also view and Deauthenticate Firewall user under Dashboard > Users & Devices > click Firewall Users > Expand to full screen.
Select a specific User Name: cp-user > click Deauthenticate.
Click OK to continue.
Notice cp-user was cleared.
I refreshed the web browser in 172.16.1.100 (Windows 7 VM) but it required me to login again to the FortiGate Captive Portal.
