Description
This article describes how to stop the captive portal from triggering in another tab on a browser and how to prevent the authentication page being insecure.
Scope
FortiOS v7.0 and above.
Solution
Pre-request:
DNS traffic should be exempted on the interface in which the captive portal is configured and an IPv4 policy should be set up to allow this traffic (it is possible to enhance the same with a DNS-filter) if using a public or external DNS server.
Topology:
PC -> [port2] FortiGate [port1] -> Internet.
In the lab setup used to test the process in this article, port2 (192.168.1.222) is enabled with security-mode set to captive-portal.
Note:
The FortiGate DNS server IP and user PC DNS server IP are expected to be the same to match the destination address to be exempted.
However, using encrypted communication over TLS, the certificate used will be 'Fortinet_Factory' with the CN containing the serial number and due to which the browser will show a 'not secure' error. The 'portal-addr' defining the FQDN, which must resolve to the FortiGate interface IP, must be present on the certificate SubjectAlternativeName. Ideally, this FortiGate already has a publicly trusted certificate as required for unmanaged guest users in this Wi-Fi. For the sake of testing, this article is using a self-signed certificate. It can be only valid for managed guest devices that can trust its CA.
Technical Tip: How to generate a self-signed certificate from FortiGate was followed to set up the CN/SAN name 'lab.fortigate.local'; this certificate was signed by the CA 'Fortinet_CA_SSL'. It is also viable to create a CSR and have it signed by a public certificate authority.
config firewall auth-portal
set portal-addr "lab.fortigate.local"
end
config user setting
set auth-cert "Captive-portal"
set auth-ca-cert "Fortinet_CA_SSL"
set auth-secure-http enable
end
Note:
Ensure the auth-portal redirection URL is being resolved to the IP assigned on the inbound interface. In this case, it is port2 (192.168.1.222).
Warning:
Exempting the mentioned webpages may lead to certificate errors when the webpage loaded is negotiated using HTTPS.
Related articles:
Technical Tip: Captive Portal Authentication Network Interface.
Technical Tip: How to generate a self-signed certificate from FortiGate.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.