FortiGate - Multiple Captive Portals - Auth-Portal Redirect

Hello,

I have come across an issue when using multiple captive portals on a FortiGate on separate interface (SSID's). I have a GUEST and BYOD portal, both using remote authentication for each.

The goal is to avoid certificate errors completely, so I have an FQDN which matches a wildcard certificate, and a local DNS record for the internal interface IP mapped to each respective FQDN, with each interface configured in recursive mode (all works). The issue lies with the redirect once authenticated.

The only way I can get the redirect to work after successful authentication is to configure the portal-add under user firewall auth-portal pointing to the a single fqdn:

configure firewall auth-portal

  set portal-add guest.fqdn.com

end

This is a global command and cannot be duplicated as far as I'm aware, so either GUEST will work or BYOD, not both at the same time.

I believe it is possible to configure the portal-addr on the interface where captive portal is enabled, however the redirect does not follow the configured portal-addr and uses the user/global, if configured or the IP address of the internal interface if the user/global portal-addr has been removed.

config wireless-controller vap
edit "GUEST"
  set ssid "GUEST"
  set security open
  set external-web "https://fortiauthenticator.fqdn.com/portal/"
  set captive-portal enable
  set selected-usergroups "Guest"
  set security-exempt-list "GUEST-exempt-list"
  set auth-portal-addr "guest.fqdn.com"
  set schedule "always"
 next
edit "BYOD"
  set ssid "BYOD"
  set security open
  set captive-portal enable
  set selected-usergroups "SAML-GRP"
  set security-exempt-list "BYOD-exempt-list"

  set auth-portal-addr "byod.fqdn.com"
  set schedule "always"
 next
end

Has anyone experienced this issue before and is there a work around?

I have tested this on a 40F and 60F, both with 7.4.7(M)

Thanks