Skip to main content
luccosen
luccosen
New Member
June 5, 2025
Question

captive portal on fortigate to enable a policy from user logged on it...

  • June 5, 2025
  • 6 replies
  • 3693 views

hello everyone,
i'm new to the forum and was wondering if it was possible to achieve what i asked in the subject.
to summarize...
The will is to have a captive portal, on fortigate, with local authentication, that allows me to steal the public source ip of the user, which will then be enabled, in some ad-hoc policies.
the most likely use, would be to access the firewall configuration interface, where in the policy a specific user is identified, who has just authenticated on the captive portal, coming from the internet...
another situation, the possibility of accessing other devices, such as video devices, with the same system...
thanks.

6 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
June 8, 2025

Hello luccosen, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
luccosen
luccosenAuthor
New Member
June 9, 2025

Just for information, this type of service works regularly on other brands, and I would have liked to leave this service to the customer....

thanks. 

    Jean-Philippe_P
    Staff & Editor
    Jean-Philippe_P
    Staff & Editor
    June 10, 2025

    Hello,

     

    We are still looking for an answer to your question.

     

    We will come back to you ASAP.

     

    Thanks,

    Jean-Philippe - Fortinet Community Team
      Jean-Philippe_P
      Staff & Editor
      Jean-Philippe_P
      Staff & Editor
      June 11, 2025

      Hello luccosen!

       

      I found this solution. Can you tell me if it helps, please?

       

      To set up a captive portal on FortiGate with local authentication and use the public source IP of the user for policy enforcement, follow these steps:

       

      1. Configure Captive Portal:
        - Go to `Network > Interfaces`.
        - Edit the interface where users will connect (ensure the interface role is set to LAN or Undefined).
        - Enable `Security Mode` and configure the captive portal settings.
        - Specify the user group that needs to be authenticated.

      2. Create User Group:
        - Go to `User & Device > User Groups`.
        - Create a user group and add the users who will authenticate through the captive portal.

      3. Configure Firewall Policies:
        - Go to `Policy & Objects > Firewall Policy`.
        - Create a new policy to allow access to the FortiGate configuration interface or other devices.
        - Set the source interface to the one with the captive portal.
        - Set the source address to the public IP of the user (this can be dynamically updated based on the user's IP after authentication).
        - Set the destination to the FortiGate interface or the specific devices you want to allow access to.
        - Set the action to `accept` and configure any additional settings as needed.

      4. Enable Logging and Monitoring: Ensure logging is enabled for the firewall policy to monitor user access and troubleshoot if necessary.

      5. Test the Configuration: Authenticate through the captive portal and verify that the policies are applied correctly based on the user's public IP.

       

      This setup allows you to control access based on user authentication and their public IP, enabling specific policies for accessing the FortiGate interface or other devices.

      Jean-Philippe - Fortinet Community Team
        luccosen
        luccosenAuthor
        New Member
        June 11, 2025

        ok, but the customer have one WAN interface fort internet connection... about you configuration, you said that I have to create a newer interface for thi s service with new ip address? or I have to delete/modify the old wan interface? then, how can assign pubblic ip of user that is logged-in? I have to put user as source? 

        Thanks.

        Jean-Philippe_P
        Staff & Editor
        Jean-Philippe_P
        Staff & Editor
        June 11, 2025

        To implement a captive portal with local authentication on a FortiGate with a single WAN interface, follow these steps:

         

        1. Retain Existing WAN Interface: Do not delete or modify your existing WAN interface. You will use it for internet connectivity.

        2. Configure Captive Portal:
          - Go to `Network` -> `Interfaces`.
          - Select the interface where you want to enable the captive portal (typically a LAN interface).
          - Enable the captive portal and configure it to use local authentication.

        3. Create User Group:
          - Go to `User & Authentication` -> `User Groups`.
          - Create a user group for the users who will authenticate via the captive portal.

        4. Set Up Firewall Policies:
          - Go to `Policy & Objects` -> `IPv4 Policy`.
          - Create a policy to allow traffic from the LAN interface to the WAN interface.
          - In the policy, specify the source as the user group created earlier.
          - For the source address, you can use the public IP of the user if known, or configure the policy to allow traffic from authenticated users.

        5. Assign Public IP: If you need to assign a specific public IP to authenticated users, configure an IP pool and use it in the NAT settings of the firewall policy.

        6. Testing: Ensure that users can authenticate via the captive portal and that the correct policies are applied based on their authentication status.

         

        This setup allows you to control access based on user authentication without needing to modify your existing WAN interface.

         

        Does it answers your questions? :)

        Jean-Philippe - Fortinet Community Team
          Jean-Philippe_P
          Staff & Editor
          Jean-Philippe_P
          Staff & Editor
          June 11, 2025

          Yes, it is possible to set up a user authentication portal via the existing WAN connection that captures the source IP and associates it with user policies. This can be achieved by configuring an external captive portal server using FortiAuthenticator, translating the portal URL to the FortiGate WAN IP, and setting up a Virtual IP (VIP) to map traffic to the internal IP of the captive portal server. This setup allows capturing the user's public address and associating it with user policies.

           

          Note that these answers are from a GPT engine, sorry if it is not really accurate. If it is not, please open a TAC ticket with your configuration and they will be happy to assist you!

          Jean-Philippe - Fortinet Community Team
          luccosen
          luccosenAuthor
          New Member
          June 11, 2025

          Thanks, I assume then, that at the moment is impossible to realize, with only a firewalll. I can try to open a TAC. 

           

          Luciano.

            Jean-Philippe_P
            Staff & Editor
            Jean-Philippe_P
            Staff & Editor
            June 11, 2025

            Sorry, we cannot figure it ou here Luciano, I hope it will be so soon with the TAC team!

            Have a good day :)

            Jean-Philippe - Fortinet Community Team
            Terms & ConditionsAccessibility statement