FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 296760

This article describes step-by-step instructions on how to implement a guest network solution based on FortiOS using a bridge mode SSID with HPE Aruba ClearPass version 6.11.6 as a captive portal.


FortiGate 7.0 and above.


Configuration on FortiGate:


  1. Follow steps 1 and 2 in Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external ...

  2. Create a VLAN41 interface as a part of internal interface 3 (or any internal interface desired for use for Bridge SSID):

    In the GUI:





In the CLI:


config system interface

edit "VLAN41"

set vdom "root"

set ip

set allowaccess ping radius-acct

set security-mode captive-portal

set security-mac-auth-bypass enable <- This is to allow MAC Caching (MAC authentication bypass).

set security-external-web "fqdn-to-clearpass-guest-portal/guest/pagename.php" <- The URL of the web server hosting login page.

set auth-cert "name-of-ssl-cert"

set auth-portal-addr "fqdn-to-dns-name-of-fortigate-vlan-ip"

set security-exempt-list "VLAN41-exempt-list" <- This should allow http/https, dns, etc. to resolve the ClearPass server and any other exempt destinations/services being allowed before signing on to the guest network.

set security-groups "Guest-Users"

set device-identification enable

set role lan

set snmp-index 21

set interface "port3"

set vlanid 41




Login/splash page hosted on an External Web Server:


  • Use it to collect the usernames and passwords of users.
  • Submit the user credentials directly to FortiGate via a post method.
  • When FortiGate receives the client credentials, FortiGate starts the authentication phase.
  • When the client is authorized, the client will be able to access the allowed network.


  1. Create the SSID in bridge mode as shown below:


In the GUI:



In the CLI:


config wireless-controller vap

edit "Bridge_Guest"

set ssid "FortiBridgeGuest"

set security owe (or open)

set pmf enable

set mbo enable

set local-bridging enable

set intra-vap-privacy enable

set schedule "always"

set vlanid 41

set probe-resp-suppression enable

set sticky-client-remove enable




  • security: Security mode for the wireless interface (Open or OWE- Opportunistic wireless encryption).
  • pmf: Protected Management Frames (PMF) support (default = disable).
  • mbo: Enable/disable Multiband Operation (default = disable).
  • intra-vap-privacy: Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).
  • probe-resp-suppression: Enable/disable probe response suppression (to ignore weak signals) (default = disable).
  • sticky-client-remove: Enable/disable sticky client. Remove this to maintain good signal level clients in SSID (default = disable).




It is recommended to use OWE (Opportunistic Wireless Encryption) on the SSID to enable strong encryption between the wireless client and the access point. However, because not all clients support it, it is also viable to use the Open (unencrypted) option under 'Security Mode Settings'.


  1. Follow steps 4 and 5 in Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external ...


Configuration on the ClearPass policy server:


Two services (MAC Caching and then Guest Registration) must be configured on the ClearPass Policy Server.


  1. Configure MAC Caching Service as shown below:



  1. Follow steps 2 and 3 under 'Configuration on the ClearPass policy server' in Technical Tip: How to configure FortiGate Guest Wi-Fi Network using HPE Aruba ClearPass as external ...



  2. Configure Guest Registration as shown here:




    Note that NAS-IP-Address is where the FortiGate is included in the group.



  3. Create a Standard Guest Role Mapping Rule:



  4. Create the Standard guest enforcement, which sends the 'Guest-User' over to FortiGate and updates the account expiration time:




  5. Configure the following as per the expectations (for the guest portal settings, if the sponsor-based portal is desired, send SMS, etc. like always, and, for the NAS vendor settings, just use the default Fortinet FortiGate):



    It is still possible to use the previously used 'Custom' settings, but it is necessary to add the details in the 'Extra Fields' settings like this:




    Note that the 'Submit URL:' section is the IP or FQDN of the FortiGate Guest Interface. It is highly recommended to use https port 1003 for the captive portal. However, when using HTTP, ensure that the port number being used is 1000.


    If a different port needs to be configured, change it using the following commands and the relevant article linked below:


    config system global

    set auth-http-port X (default value is port 1000 for http)

    set auth-https-port Y (default value is port 1003 for https)


    Technical Tip: Change the captive portal port


Troubleshooting commands:


diagnose debug reset

diagnose debug disable

diagnose debug application fnbamd -1

diagnose debug enable