Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
- Fortinet Community
- Knowledge Base
- FortiAP
- Troubleshooting Tip: Captive portal showing each t...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes troubleshooting steps for an issue that may occur when a client connecting in a particular SSID device receives a captive portal for authentication, causing the user to have to log in to the captive portal repeatedly.
Scope
FortiGate101E v7.0.11:0489, FortiAP-431F v7.0.7:0134.
Solution
All SSIDs are authenticated by Cisco ISE. The customer can login to access the Internet or network. If a user moves from one access point to another access point, the user will need to authenticate again.
Consider a case where WiFi users are using an SSID to authenticate against a Cisco ISE RADIUS Server. It all works correctly until the user roams from one AP to another or makes a change on the channel, following which the user will be de-authenticated and the authentication portal will be shown again. This means the customers need to sign in over and over again.
Diagram:
Cisco ISE --- FortiGate --- LAN --- FortiAP
FG101E v7.0.11:0489
FAP-431F v7.0.7:0134
To reproduce the scenario:
- Connect the user to the SSID.
- Enter credentials to log in.
- After logging in successfully, move to another area to perform roaming.
- The captive portal will be shown again.
- Re-enter credentials to log in.
To resolve the issue:
Configure the 'user setting' to set the auth-timeout to 480 minutes on FortiGate through the CLI:
config user setting
set auth-timeout 480
end
If issue persists, open a new ticket to the TAC team, making reference to this article. Attach the following information:
- Run the following debug commands in the FortiGate CLI:
diagnose debug reset
diagnose debug disable
diagnose debug console timestamp enable
diagnose debug app wpad 7
diagnose debug app fnbamd -1
diagnose debug duration 0
diagnose debug enable
Reproduce the issue.
- Capture the radius packets during the test.
- After a client connects and passes authentication, collect the following debug output:
diagnose firewall auth list
diagnose wireless-controller wlac -d sta online | grep <sta_mac>
- Change the channel of the AP. If the client is asked to open the portal again, leave the page and collect the following output:
diagnose firewall auth list
diagnose wireless-controller wlac -d sta online | grep <sta_mac>
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.