Description

This article explains why users are not being redirected to the Firewall Authentication Portal Page after connecting to the captive portal.

Scope

FortiOS.

Solution

Topology:
User PC --- (port2) FortiGate (port1) --- Internet

Create a local user. In this example, user group information is fetched from the FortiAuthenticator.

The same can be achieved with the help of the CLI too:

diagnose test authserver radius <radius server_name> <authentication scheme><username> <password>

Create a new firewall policy from port2 to port1 and include the radius-group information in the Source field.

Edit the interface configuration where the user will connect by navigating to Network -> Interface, selecting the desired interface (e.g., port2), enabling Security Mode, and specifying the user groups that need to be authenticated.

Note:

The captive portal option cannot be enabled if the interface role is set to WAN or DMZ. Change the interface role to LAN or Undefined to configure the captive portal.

Verification:
Access any website (e.g., www.google.com) from the client system.

The web-based captive portal authentication page will be displayed.

Once the user is authenticated successfully, the user is not redirected to the Firewall Authentication Portal Page.

Solution:

Under the Port2 interface settings, choose Specific URL for Redirect after Captive Portal and specify the URL: http://10.75.13.229:1000/portal?


Note:

The default auth-http-port is set to 1000 and can be found under the config system global settings.

The group information can be provided from the interface level as well as from the Firewall policy level.

In the above image, if 'user access' is configured as 'Allow all', the group information has to be fetched from the Firewall policy level.

The above changes will result in a redirect to the Firewall Authentication Portal Page.