Note: Similar configurations apply for wireless clients connecting to a third-party Access Point on the local network or to a FortiAP SSID in bridge mode, although in these cases the captive portal is configured on the FortiOS interface or VLAN rather than the SSID.

Pre-requisites: 

A captive portal is already configured on the FortiAuthenticator or another external resource.
For an example using FortiAuthenticator, see Technical Tip: How to configure FortiGate Captive Portal via FortiAuthenticator.

In this example, the captive portal for the SSID 'Captive-Apple' is hosted on FortiAuthenticator at 'https://test.fortiauthenticator.net/portal/'.

If the captive portal is not triggered specifically for Apple devices, verify the following configurations:

 
DHCP Server Configuration: 
Ensure that the SSID interface DHCP server is configured to use the DNS server option 'same as Interface IP' to use the FortiGate as the DNS server.
 
If an external DNS server is used instead for the SSID, refer to the firewall policy section. Note that this DNS server must resolve the captive portal FQDN (test.fortiauthenticator.net) to the external captive portal's IP address.
  
DNS method 1: FortiGate as DNS Server
Make sure the DNS server is enabled on the SSID interface, and the DNS database includes an entry for the captive portal FQDN.

This ensures that SSID clients can properly resolve the captive portal FQDN 'test.fortiauthenticator.net'.

DNS method 2: External DNS Server.
If the SSID DHCP configuration assigns a DNS server other than the FortiGate, a policy is required to allow DNS queries with 'set captive-portal-exempt enable'. This DNS server must be able to resolve the captive portal FQDN to the correct IP address.
 

config firewall policy

    edit <index>

        set name "Allow-DNS"

        set srcintf "Captive-Apple"

        set dstintf "internal"

        set action accept

        set srcaddr "all"

        set dstaddr "Internal-DNS"

        set schedule "always"

        set service "DNS"

        set logtraffic disable

        set captive-portal-exempt enable

    next

end

External Authentication Portal:
Confirm that the Authentication portal is configured as External type with the correct address: in this case, 'https://test.fortiauthenticator.net/portal/'.

Firewall Policy to allow SSID clients to reach the external captive portal:

Ensure the policy includes the set captive-portal-exempt enable.

config firewall policy

    edit <index>

        set name "FAC-Captive-Exempt"

        set srcintf "Captive-Apple"

        set dstintf "wan1"

        set action accept

        set srcaddr "all"

        set dstaddr "test.fortiauthenticator.net"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

        set port-preserve disable

        set captive-portal-exempt enable

    next

end

Firewall Policy to allow Internet access after Authentication:
 

config firewall policy

    edit <index>

        set name "Captive-policy"
        set srcintf "Captive-Apple"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable

    next

end

Apple Captive Portal Detection:
Apple devices attempt to reach captive.apple.com to determine if they have internet access.
If the device successfully reaches this domain, it assumes it is already online and will not trigger the captive portal. Therefore, it is necessary to make sure that an Apple device is unable to reach captive.apple.com.

Endpoint Requirements:
 
On iPad or iPhone:

On the device, verify the following settings under Wi-Fi > (SSID Name):

• Configure DNS: Automatic.
• Configure Proxy: Off.

These settings ensure that the device performs DNS queries normally and does not bypass captive portal redirection. 

On macOS: 
Navigate to System Settings -> Wi-Fi -> Wi-Fi Details and verify the following:

• DNS: No manual DNS configured.
• Proxies: All proxy settings are disabled.

After verifying the above configuration and settings, an Apple device should trigger the captive portal once it tries to connect to the SSID.

To troubleshoot:
Run a packet capture on the FortiGate to find if the client machine is able to reach the external Authentication portal.

diagnose sniffer packet any 'host <client IP> and host <Authentication-portal IP>' 4 0 l

If the user continuously hits the captive portal after a successful authentication, it may be a non-matching MAC address authentication issue. If so, disable auth-src-mac.

config user setting

    set auth-src-mac disable

end