To provide user access to the FortiAuthenticator self-service portal, an open SSID on the FortiGate can be configured. This SSID should be restricted to allow only access to the DNS service and HTTPS traffic to the FortiAuthenticator. Upon connection, users will be redirected to the portal URL. The portal URL is found on the FortiAuthenticator under (Authentication -> Portals -> Policies).

Self-service SSID configuration:

config wireless-controller vap
    edit "Self-Service"
        set ssid "Self-Service"
        set security open
        set captive-portal enable
        set portal-type disclaimer
        set security-redirect-url "https://fac-01.fortilab.local/portal/selfservice/Self-Service/"
        set schedule "always"
    next
end

Firewall policies:

config firewall policy
    edit 1
        set name "Slef-service_DNS"
        set srcintf "Self-Service"
        set dstintf "port1"
        set action accept
        set srcaddr "Self-Service_addresses"
        set dstaddr "DNS_10.0.0.1"
        set schedule "always"
        set service "DNS" "PING"
    next
    edit 2
        set name "Slef-service_Portal"
        set srcintf "Self-Service"
        set dstintf "port2"
        set action accept
        set srcaddr "Self-Service_addresses"
        set dstaddr "FAC_10.0.1.1"
        set schedule "always"
        set service "PING" "HTTPS"
    next
end

Disclaimer page configuration (Optional):

The default disclaimer page on the FortiGate displays a generic user agreement message but does not indicate where the user will be redirected after selecting 'Yes, I agree'. To customize this behavior, the HTML code of the disclaimer page can be modified under System -> Replacement Messages -> Extended View -> Disclaimer Page. 

Related article:

Technical Tip: Dynamic VLAN assignment for SSID clients in bridge & tunnel mode using radius authent...