The FortiGate can support Captive Portal authentication in a number of different areas, including wireless SSIDs (e.g., Wi-Fi networks) and wired physical networks. Additionally, captive portals can be configured individually on firewall policies.

When a user is connected to an SSID and accepts the disclaimer, the same disclaimer will appear again if a disclaimer captive portal is also configured on a firewall policy. The default disclaimer page is shown below:

Configuration:

config wireless-controller vap

    edit "fortinet"

        set passphrase ENC xyz

        set captive-portal enable

        set portal-type disclaimer

        set schedule "always"

    next

end

config firewall policy

    edit <index>

        set name "AP"

        set srcintf "fortinet"

        set dstintf "wan1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

        set disclaimer enable

    next

end

To fix this issue, the disclaimer needs to be disabled on the SSID or the firewall policy.

This behavior is also seen when the disclaimer captive-portal is enabled on both the network interface and a firewall policy.

Related article:

Technical Tip: Configuring a disclaimer page on a FortiGate SSID