Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jhussain_FTNT
Staff
Staff

Created on ‎07-24-2025 06:48 AM

Article Id 403197

Technical Tip: Configure MAC-based captive portal authentication with Cisco ISE on FortiGate

Description This article describes how to configure MAC based captive portal authentication with Cisco ISE on FortiGate. It provides a step-by-step guide on setting up the external captive portal authentication with Cisco ISE and troubleshooting common issues.
Scope FortiGate, Cisco ISE.
Solution

To configure captive portal authentication with Cisco ISE on FortiGate, follow these steps:

  1. Go to WiFi & Switch Controller -> SSIDs and Create New SSID.
  2. Set SSID to the desired SSID name and set Security to Open.
  3. Set External Web to the Cisco ISE portal URL and set Captive Portal to Enable.
  4. Set Portal Type to Auth-MAC and set RADIUS MAC Auth to Enable.
  5. Configure the RADIUS server settings and set RADIUS MAC Auth Server to the Cisco ISE server IP address.

 

config wireless-controller vap

    edit "GUEST-TEST"
        set ssid "GUEST-TEST"
        set security open
        set external-web "https://x.x.x.x:8443/portal/PortalSetup.action?portal=35c9a5e7-ef78-43df-b200-7903c7714b8b&action=cw..."
        set radius-mac-auth enable
        set radius-mac-auth-server "OPs-ISE-01"
        set radius-mac-auth-usergroups "ISE GROUP"
        set captive-portal enable
        set portal-type auth-mac
        set schedule "always"
    next
end

 

  1. Go to User & Authentication -> RADIUS Servers and edit the RADIUS configuration.
  2. Set Server to the Cisco ISE server IP address and set Secret to the shared secret key.

 

config user radius
    edit "OPs-ISE-01"
        set server "x.x.x.x"
        set acct-interim-interval 60
        set radius-coa enable
    next
end

 

 

  1. Configure Firewall user group with RADIUS server.

 

config user group
    edit "ISE GROUP"
        set member "OPs-ISE-01"
    next

 

 

  1. Configure the firewall policy to allow traffic from the VAP to the Cisco ISE server and DNS server with captive-portal-exempt enable.

 

config firewall policy

    set name "Test-WIFI"
    set srcintf "GUEST-TEST"
    set dstintf "x3"
    set action accept
    set srcaddr "guest-test rang"
    set dstaddr "x.x.x.x"
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set captive-portal-exempt enable
next

    set name "Test-WiFI_DNS"
    set srcintf "GUEST-TEST"
    set dstintf "x3"
    set action accept
    set srcaddr "guest-test rang"
    set dstaddr all
    set schedule "always"
    set service "DNS"
    set logtraffic all
    set captive-portal-exempt enable

next

 

 

  1. Configure the firewall policy to allow internet traffic to user with user group

 

set name "test guest"
set srcintf "GUEST-TEST"
set dstintf "x2"
set action accept
set srcaddr "guest-test rang"
set dstaddr "all"
set schedule "always"
set service  "Web Access"
set nat enable
set groups "Guest-group"

 

Cisco ISE:

 

Configuration image on the Cisco ISE side:

 

jhussain_FTNT_0-1753359486600.png

 

jhussain_FTNT_1-1753359486604.png

 

jhussain_FTNT_2-1753359486606.jpeg

 

jhussain_FTNT_3-1753359486610.png

 

jhussain_FTNT_4-1753359486615.png

 

Troubleshooting tips:

  • Check the Cisco ISE server logs for any authentication errors.
  • Verify that the RADIUS server settings are correct and that the shared secret key matches.
  • Check the FortiGate logs for any errors related to the captive portal authentication.
407
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.