Hello all,
I have a client where WIFI is prompting as though captive portal is enabled while set to WPA2-Personal.
We've updated both firewall and APs to the most recent version 7.2, to no avail.
Next attempts will be a downgrade to observe if the issue persists on 7.0
I will be happy to add details or information as needed. Hoping someone can help.
**EDIT**
This issue started last Friday 11/4 (no changes or updates that we are aware of)
Current config:
config wireless-controller vap
edit "guest-test"
set ssid "testSSID"
set passphrase ENC
set intra-vap-privacy enable
set schedule "always"
next
end
Solved! Go to Solution.
If you create a new SSID with similar configurations (PSK only) will it still present the captive portal to the users? If the new SSID works ok, you can try to delete this one and re-create the same SSID from scratch.
There is a Security mode "WPA2 Personal with Captive Portal". You can check it under Wifi & Swtich Controller> SSIDs> (select SSID) under Wifi Settings.
The users can join using the PSK and after that being presented with a disclaimer or a second layer of authentication.
You can [Edit in CLI] to verify if there is any wrongly extra command that you can remove:
~
config wireless-controller vap
edit "PSK-MAC"
set ssid "PSK-MAC"
set security wpa2-only-personal+captive-portal
set passphrase ENC
set portal-type disclaimer
set schedule "always"
next
~
set security wpa2-only-personal
unset portal-type
Thank you for your reply. The issue is that we do not want a captive portal and it is not set as such. I have added my config to the original post.
If you create a new SSID with similar configurations (PSK only) will it still present the captive portal to the users? If the new SSID works ok, you can try to delete this one and re-create the same SSID from scratch.
Thank you! The new SSID is working properly.
I'll add two additional cases that can result in captive portal being shown:
1, SSID is in bridge mode and the actual FortiGate interface that receives the traffic has a captive portal enabled.
2, The firewall policy processing the relevant traffic (e.g. SSID->internet) requires authentication (e.g. LDAP, RADIUS, local user; not FSSO/RSSO/WSSO)
Consider checking these as well.
Thank you for your reply - the SSID is in tunnel mode, I have added config and screenshot to original post.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.