Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff & Editor
Staff & Editor

Created on ‎12-15-2025 09:53 PM

Article Id 422963

Technical Tip: Basic FortiGate NAC Policy configuration with Captive Portal-based authentication

Description

 

This article describes how to configure a basic NAC policy setup on the FortiGate and managed FortiSwitch that allows users to authenticate to a captive portal and be assigned to a corresponding VLAN.

 

Scope

 

FortiGate, FortiSwitch, NAC Policy.

 

Solution

 

In this configuration, clients connected to the FortiSwitch are initially placed into an onboarding VLAN and will receive an IP address via DHCP. From there, the captive portal can be triggered on the client device, prompting the user to authenticate to the FortiGate. Based on the user group that is matched, the client's FortiSwitch port will be 'bounced' and the device is reassigned to the VLAN associated with that user group.

 

Configuration:

This article assumes that User Groups have already been configured on the FortiGate that users may authenticate to. For guidance on creating users and groups on the FortiGate, refer to the following documentation in the FortiGate Admin Guide: User definition, groups, and settings

 

  1. Navigate to Network -> Interfaces, then select Create new to configure a new VLAN interface as the onboarding VLAN. Ensure that the following settings are configured on the interface:
    • IP/Netmask.
    • Enable DHCP Server functionality.
    • Enable Security mode and set to Captive Portal. Set User access to Restricted to Groups, then specify the list of User groups that may authenticate to the captive portal.
      • Users will be moved to an appropriate VLAN based on the matched user group.
      • The Restricted to Groups option ensures that a username/password prompt is present, otherwise only a captive portal disclaimer will be presented to users.
    • Alternatively, the _onboarding.fortilink (onboarding) VLAN 4089 is pre-configured on FortiGates with FortiLink interfaces and may be used as the onboarding VLAN instead.

 

Onboarding VLAN - IP_Netmask.png

 

Onboarding VLAN - DHCP Server.png

 

Onboarding VLAN - Captive Portal.png

 

  1. Next, navigate to Policy & Objects -> Firewall Policy and add a new policy to specifically allow DNS traffic for clients in the onboarding VLAN. It is recommended to also enable Exempt from captive portal for this policy, though depending on the FortiOS version this is not strictly necessary (see also: Technical Tip: DNS traffic is allowed through captive portal without authentication).
    • Devices on the onboarding VLAN must be able to reach DNS so that web requests can be made (which in-turn trigger the captive portal redirection).
    • Ensure that the Firewall Policy is adjusted so that users can reach the DNS server received from DHCP. The example policy below uses 'any' as the Outgoing Interface for ease of demonstration, but this should be limited to the specific LAN or WAN interfaces required to reach the configured DNS server.

 

Firewall Policy - Allow DNS.png

 

CLI Equivalent:

 

config firewall policy

edit 13

set name 'NAC_Onboard_Allow_DNS'
set srcintf 'VLAN800'
set dstintf 'any'
set action accept
set srcaddr 'all'
set dstaddr 'all'
set schedule 'always'
set service 'DNS'
set logtraffic all
set nat enable

next

end

 

  1. Navigate to WiFi & Switch Controller -> NAC Policies and modify the initial onboarding rule under the FortiSwitch Onboarding VLAN and VLAN Segmentation banner. Set NAC VLAN segmentation to Disabled, then set the Onboarding VLAN to the onboarding VLAN that was created earlier in this article.
    • NAC LAN segments are a more complex configuration that notably allows administrators to avoid having to change the end-users IP address during the VLAN reassignment process. This article will focus on the simpler NAC use-case where the client's connected switchport is bounced as part of the VLAN change, but for more information on LAN segments, refer to the following documents:

 

Onboarding NAC Policy.png

 

Onboarding NAC Policy Overview.png

 

  1. Back on WiFi & Switch Controller -> NAC Policies, select the Create New button to create a new NAC policy with the following settings:
    • Set the Category to User and specify an appropriate User group.
    • Enable the Assign VLAN option and specify the VLAN that these users should be assigned to after authentication.
    • Enable the Bounce port option. This will disable/re-enable the user's connected FortiSwitch port to force a fresh DHCP address request from the new VLAN.
    • In this example, separate rules have been created for LAN users vs. Contractor users, assigning each to separate VLANs.

 

Example User NAC Policy.png

 

Example User NAC Policy Overview.png

 

  1. Finally, navigate to WiFi & Switch Controller -> FortiSwitch Ports and select the Ports tab. Enable NAC mode on each desired switchport by right-clicking and selecting Set Mode -> NAC. Notably, the Native VLAN for that switchport will change to the onboarding VLAN and the Allowed VLANs will change to the Fortilink's existing quarantine VLAN.

 

FortiSwitch Ports.png

 

Verification:

At this point, a client device can be connected to a FortiSwitch port with NAC mode enabled to test the NAC functionality. The following is the expected sequence of events:

  1. Client will receive a DHCP lease from the onboarding VLAN (in this example, that would be in the 10.255.100.x range).
  2. Most client operating systems will automatically attempt to detect captive portals by making a web connection to a well-known URL. This requires resolving the destination via DNS first, then making an outbound HTTP connection (see the following for a list of current captive portal URLs based on operating system: Wikipedia - Captive Portal Detection). Alternatively, users may manually navigate to any web destination in their browser to trigger the captive portal.
  3. The FortiGate will intercept the user's web connection and redirect the device to the captive portal URL. For more information on the the FortiGate captive portal URL/port (including customising its behaviour), refer to the following documents:

Technical Tip: Change the captive portal port

Technical Tip: Using secure authentication (HTTPS) on a FortiGate and redirecting the authentication...

Technical Tip: FortiGate configured with multiple captive portals and as a DNS server

 

Captive Portal Prompt.png

 

  1. Once the captive portal page is displayed, users can authenticate using username and password. After authentication succeeds, the user's connected FortiSwitch port will be bounced as the VLAN is changed. This forces client device to request a new DHCP lease, this time from the newly-assigned VLAN.
  2. The client device is assigned to the new VLAN and will have a corresponding IP address for that VLAN. A user entry should also be visible on the FortiGate under WiFi & Switch Controller -> NAC Policies -> View Matched Devices (in the top-right corner). This can also be found under the Matched Devices dashboard widget, in the Assets & Identities default dashboard.

 

Related document:

FortiSwitch network access control

230
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.