The following Address Objects have to be created first.

DNS Object:

Captive.apple.com FQDN object:

There are extra steps required for Captive Portal authentication to work on Apple devices. These configuration steps have to be carried out on the FortiGate:

1. Exempt captive.apple.com and DNS under 'Exempt Destinations' of the captive portal as such:

2. Create a firewall policy where the Destinations are only captive.apple.com and the DNS server, so that the Apple devices can resolve DNS and reach captive.apple.com before being able to hit the captive portal page.

config firewall policy

    edit 26

        set name "captive-portal-exempt"

        set srcintf "captiveportal"

        set dstintf "virtual-wan-link" "port4"

        set action accept

        set srcaddr "all"

        set dstaddr "google dns" "fac" "captive.apple.com"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

    next

end

3. Configure DHCP Option 114 for the purpose of ensuring the redirection to the public URL is correct after the captive portal. This ensures that redirection to the webpage is successful after captive portal authentication. It also allows the network to advertise to the device that it is the captive portal rather than a traffic interceptor: https://developer.apple.com/news/?id=q78sq5rv.

4. Try disabling the certificate if the certificate error still shows up on Apple devices when trying to access the captive portal:

config user setting 

    unset auth-cert

end

5. If the Captive portal page browser goes into a loop after authentication, disable the command line below.

config user setting
    set auth-src-mac disable
end

By default, FortiGate also checks the client's MAC address when authenticating, and if the client is behind a router before reaching the firewall, the loopback behaviour. That setting above disables it.