Yes, don't get me wrong, the article is great for the flow, it tells me where its failing, but not what could be wrong or possible fixes. I have done multiple sniffer packets, it just shows syn packets going out on HTTPS to the FAC, when they try and go direct, the web traffic rule doesn't get hit at all, nor does the exempt rule (unless they try the FAC Portal FQDN directly)

Something isn't right on this. If the HTTP to outside would time out (and by this I understand steps 1+2), the HTTPS to FortiAuthenticator wouldn't be attempted (steps 8+9). Check again what exactly times out.

If the FortiAuthenticator web portal doesn't react, then the page shouldn't be loaded, as previously tested.

If the TCP handshake is failing and never arrives at FortiAuthenticator, check on FortiGate where the SYN is going in and out (the sniffer 4-6 would tell).
diag sniffer packet any 'host <fac-ip>' 4 0 a

If the SYN is arriving at FortiAuthenticator, but there is no response, do the same packet capture on FortiAuthenticator:

exec tcpdump -i any host <client-IP>
replace client IP if the FortiGate policy is doing NAT, then of course FortiAuthenticator won't see the client IP.

So for example

This message would mean my FortiAuthenticator isn't responding, which means I have to check how my client and the FortiAuthenticator are actually talking to each other. TCP handshake should be quite visible, but in that error case I'd assume that this isn't the case. That handshake somehow fails ("too long to respond"), because otherwise the error message will be different.

Ill run some more packet sniffers when the engineer is back there later, it is worth pointing out that the FAC has a business WIFI using EAP-TLS, and thats working fine, as does the SSL VPN on the same firewall, using LDAP on the FAC, so it is just the portal part that broken, ill see what dumps I can get.

SSLVPN is either using LDAP or more likely RADIUS, EAP is using RADIUS. Portal uses HTTPS and would only show that the network generally is fine from these FortiGates. However, as LDAP/RADIUS are FortiGate originating, this won't say anything about what the client can communicate or not with the FortiAuthenticator through the FortiGate, which requires itself an own fw policy.

Agreed, was just pointing out, I dont think the FAC is at fault, considering the other services are working on there, EAP-TLS for Business WIFI and the SSL VPN is using the LDAP connection. will get some sniffer traffic asap

Will have captures tomorrow, but from the logging on the Firewall, all previous attempts dont touch the web access rule, and the only hits on the portal exempt rule are when I asked them to try going direct to the FAC and getting the 403 error.

403 sounds alright in that test. Then lets see what the rest brings up. Important is to capture port 53 (DNS), 80 (captive portal detection pages, HTTP unencrypted or manually browsing it and triggering it), 443 (towards FAC) and port 1000 or port 1003 (both to FortiGate, 1003 if "auth-secure" in config user setting is enabled). Theoretically a packet capture on the FortiGate will have all of it with when using the client IP as a filter. It may be good to have at the same time in parallel a packet capture with those ports on the client itself. Use the Wireshark filter if needed: port53 or port 80 or port 443 or port 1000 or port 1003. Double-check to run Wireshark on the correct interface as admin (since we don't trust any end user ;) ).

https://jasys.co.uk/uploads/LOGS.txt 

I have uploaded the logs to my personal website here:  

I dont think there is much to decipher, have a scroll through, the traffic towards 10.31.1.212 is when he tried the portal URL direct