Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiahoong112
Staff
Staff

Created on ‎10-02-2024 12:01 AM Edited on ‎10-02-2024 12:02 AM By Community Manager

Article Id 346321

Technical Tip: Captive Portal on Apple devices

Description

This article describes how to ensure the captive portal on Apple devices is working after performing the initial configuration from here: FortiAuthenticator as a Wireless Guest Portal for FortiGate

To verify whether the initial captive portal configuration is correct, test it on a Windows or Android device first.
Scope FortiOS non-EOS versions. When Captive Portal authentication is used.
Solution

The following Address Objects have to be created first.

 

DNS Object:

 

jiahoong112_0-1727837530336.png

 

Captive.apple.com FQDN object:

 

jiahoong112_1-1727837530338.png

 

There are extra steps required for Captive Portal authentication to work on Apple devices. These configuration steps have to be carried out on the FortiGate:

  1. Exempt captive.apple.com and DNS under 'Exempt Destinations' of the captive portal as such:

 

jiahoong112_2-1727837530345.png

 


 

  1. Create a firewall policy where the Destinations are only captive.apple.com and the DNS server so that the Apple devices can resolve DNS and reach captive.apple.com before being able to hit the captive portal page.

 

jiahoong112_3-1727837530346.png

 

config firewall policy

    edit 26

        set name "captive-portal-exempt"

        set srcintf "captiveportal"

        set dstintf "virtual-wan-link" "port4"

        set action accept

        set srcaddr "all"

        set dstaddr "google dns" "fac" "captive.apple.com"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

    next

end

 

  1. Configure DHCP Option 114 for the purpose of ensuring the redirection to the public URL is correct after the captive portal. This ensures that redirection to the webpage is successful after captive portal authentication. It also allows the network to advertise to the device that it is the captive portal rather than a traffic interceptor: https://developer.apple.com/news/?id=q78sq5rv

 

jiahoong112_4-1727837530351.png
Labels:
1564
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.