Instructions for setting up a form-based captive portal for proxy authentication can be read in the following document: Setting up a form-based authentication captive portal using SSL certificate.

This document only includes instructions for CLI configuration and omits User and Group configuration steps, to configure this via GUI follow these steps:

1. Configuring the interface to be used for the portal:

Go to Network -> Interfaces -> [port to be used]:

Configure a valid IP address, enable 'Explicit web proxy' and 'Proxy Captive Portal' under miscellaneous option.

2. Next configure authentication settings for the portal, under Policy & Objects -> Proxy Auth Setting:

    
    
                     
   

   Enable the 'Captive Portal' option, chose the preferred port, chose IP in 'Captive Portal Type' and type the IP address of the interface to be used in 'Captive Portal IP' (a FQDN can also be used here if preferred).

    

    

3. Now to configure an authentication scheme that uses the form method and an authentication rule to enforce said authentication scheme:

    

   Go to Policy & Objects -> Authentication Rules -> Create New -> Authentication Scheme:

    

   

    

   Choose 'Form-based' for the method and 'local-user-db' for the User database to be used.

    

   Now for the authentication rule go to Policy & Objects -> Authentication Rules -> Create New -> Authentication Rule:

    

                                                              
   

   Configure HTTP as the protocol, source and destination addresses/interfaces as required and enable the 'Authentication Scheme' option, then select the new authentication scheme.

    

    

4. Create local users and groups to be used for authentication, go to User & Authentication -> User Definition -> Create New and create a new local user (create as many as required):

    

   

    

   After that go to User & Authentication -> User Groups -> Create New:

    

                                             
   

   Create the group to be used for authentication, choose the type Firewall and logic type OR then add the required local users as members.

    

    

5. Next, create a firewall rule, go to Policy & Objects -> Policy -> Create New:

    

   

                       
   Configure it as follows:

   Type: Explicit (for explicit proxy).

   Explicit web-proxy: Select the preferred explicit proxy profile, in this case the default web-proxy profile is used.

   Outgoing interface: Add the relevant interfaces.

   Source: Include here the related network/s and the new user-group.

   Destination: Add the relevant destinations (usually all for this kind of setup).

   Schedule: Always.

   Service: Select the explicit proxy profile used above.

   Action: Accept.

    

    

6. Finally configure the default server and CA certificates, go to Proxy Settings -> Web Proxy Setting:

    

Chose the Default Server Certificate and Default CA Certificate, in this case Fortinet's default certificates are being used.

The FortiProxy will be using the default server certificate (above) when redirecting users to the portal, during the first HTTPS login the portal will use the CA certificate configured above. A certificate error prompt will appear if the users do not have the relevant CA certificate installed on the devices.