Guest Portal Configuration Guide

Objective

Configure a guest Wi-Fi network (SSID "Guest") via a FortiAP connected to a FortiGate, with authentication through a Captive Portal in Disclaimer mode (acceptance of the terms of use).

Prerequisites

Before configuring the Guest Portal, ensure:

• You have a functioning FortiGate firewall and at least one FortiAP

• FortiAPs are properly connected to the FortiGate and managed via the Wireless Controller feature

• The FortiGate is configured and licensed (UTP) to provide internet access

• A dedicated VLAN or SSID for guest users is configured

• The following features are enabled in System > Feature Visibility:

  • Advanced Wireless Features

  • Policy Disclaimer

  • Wireless Open Security

  • Replacement Message Groups

  • Multiple Interface Policies (for Policy-based configuration only)

Method 1: Interface-Based Captive Portal Configuration

Step 1: Create Guest User Group

GUI Navigation: User & Authentication > User Groups > Create New

- Name: Guest-autogenerated-group
- Type: Guest - Enable "Auto-generate User"
- Enable "Username Required"
- Set Company field as "Mandatory"
- Maximum Guest Accounts: 10

CLI command :

config user group

edit "Guest-autogenerated-group"

set group-type guest

set user-id auto-generate

set user-name enable

set company mandatory

set max-accounts 10

next

end

Step 2: Create Guest Administrator Account

GUI Navigation: System > Administrators > Create New

- Username: GuestCreation
- Comments: Account to create Guest User Access
- Administrator Profile: Custom - Enable "Guest Management"
- Guest Groups: Guest-autogenerated-group
- Password: Set secure password

CLI command :

config system admin

edit "GuestCreation"

set comments "Account to create Guest User Access"

set vdom "root"

set guest-auth enable

set guest-usergroups "Guest-autogenerated-group"

set password F0rtinet!

next

end

Step 3: Create Schedule (Optional)

GUI Navigation: Policy & Objects > Schedules > Create New

- Name: Lun-Sam-8_18
- Type: Recurring
- Days: Monday through Saturday
- Time: 08:00 - 18:00

CLI command :

config firewall schedule recurring

edit "Lun-Sam-8_18"

set start 08:00

set end 18:00

set day monday tuesday wednesday thursday friday saturday

set color 3

next

end

Step 4: Configure Guest SSID

GUI Navigation: WiFi & Switch Controller > SSIDs > Create New

- Interface Name: GuestSSID
- Traffic Mode: Tunnel to Wireless Controller
- SSID: WiFi_Guest
- Security Mode: Open
- Enable Captive Portal
- Portal Type: Authentication + Disclaimer
- User Groups: Guest-autogenerated-group
- Portal Message Override Group: Guest_Portal
- Redirect URL after Disclaimer: https://thessog.com
- Enable "Block Intra-SSID Traffic"
- Schedule: always (or custom schedule)

CLI command :

config wireless-controller vap

edit "GuestSSID"

set ssid "WiFi_Guest"

set security open

set captive-portal enable

set portal-message-override-group "Guest_Portal"

set portal-type auth+disclaimer

set selected-usergroups "Guest-autogenerated-group"

set security-redirect-url "https://thessog.com"

set intra-vap-privacy enable

set schedule "always"

next

end

Step 5: Create Guest VLAN Interface

GUI Navigation: Network > Interfaces > Create New > Interface

- Interface Name: VLAN_GUEST
- Type: VLAN
- Interface: port4
- VLAN ID: 20
- Addressing Mode: Manual
- IP/Netmask: 192.168.20.1/255.255.255.0
- Administrative Access: PING, HTTPS
- Security Mode: Captive Portal
- Authentication Portal: Local
- User Groups: Guest-autogenerated-group
- Redirect after Captive Portal: https://thessog.com
- Role: LAN
- Enable Device Detection

CLI command :

config system interface

edit "VLAN_GUEST"

set vdom "root"

set ip 192.168.20.1 255.255.255.0

set allowaccess ping https

set security-mode captive-portal

set replacemsg-override-group "Guest_Portal"

set security-redirect-url "https://thessog.com"

set security-groups "Guest-autogenerated-group"

set device-identification enable

set role lan

set snmp-index 24

set interface "port4"

set vlanid 20

next

end

Step 6: Configure DHCP Server

GUI Navigation: Network > Interfaces > Edit VLAN_GUEST > Enable DHCP Server

- Address Range: 192.168.20.10 - 192.168.20.250
- Netmask: 255.255.255.0
- Default Gateway: Same as Interface IP
- DNS Server: Specify - Primary: 8.8.8.8
- Secondary: 1.1.1.1
- Lease Time: 86400 seconds

CLI command :

config system dhcp server

edit 1

set interface "VLAN_GUEST"

set lease-time 86400

set dns-service specify

set dns-server1 8.8.8.8

set dns-server2 1.1.1.1

set netmask 255.255.255.0

config ip-range

edit 1

set start-ip 192.168.20.10

set end-ip 192.168.20.250

end

next

end

Method 2: Policy-Based Captive Portal Configuration

Prerequisites (Additional)

• Enable "Multiple Interface Policies" in System > Feature Visibility

• Complete Steps 1-3 from Interface-Based configuration

Step 1: Configure Guest SSID (Modified from step 4)

GUI Navigation: WiFi & Switch Controller > SSIDs > Create New

- Interface Name: GuestSSID
- Traffic Mode: Tunnel to Wireless Controller
- SSID: WiFi_Guest
- Security Mode: Open
- Captive Portal: Disabled (will be handled by policy)
- Enable "Block Intra-SSID Traffic"
- Schedule: always

Step 2: Create Guest VLAN Interface (Modified from step 5)

GUI Navigation: Network > Interfaces > Create New > Interface

- Interface Name: VLAN_GUEST
- Type: VLAN - Interface: port4
- VLAN ID: 20
- Addressing Mode: Manual
- IP/Netmask: 192.168.20.1/255.255.255.0
- Administrative Access: PING, HTTPS
- Security Mode: None (captive portal handled by policy)
- Role: LAN
- Enable Device Detection

Step 3: Create Address Object

GUI Navigation: Policy & Objects > Addresses > Create New

- Name: net_VLAN_GUEST_address
- Type: Subnet
- Subnet/IP Range: 192.168.20.0/255.255.255.0
- Interface: VLAN_GUEST

CLI command :

config firewall address

edit "net_VLAN_GUEST address"

set type interface-subnet

set color 18

set subnet 192.168.20.0 255.255.255.0

set interface VLAN_GUEST

next

end

Step 4: Create Firewall Policy with Captive Portal

GUI Navigation: Policy & Objects > Firewall Policy > Create New

- Name: Guest-to-Internet
- Incoming Interface: VLAN_GUEST, GuestSSID
- Outgoing Interface: virtual-wan-link (or your WAN interface)
- Source: net_VLAN_GUEST_address
- Destination: all
- Schedule: always
- Service: ALL
- Action: ACCEPT
- NAT: Enable
- Security Profiles:
- SSL/SSH Inspection: certificate-inspection
- Web Filter: default
- Enable all Logging Options
- Enable Captive Portal
- Portal Type: Authentication + Disclaimer
- User Groups: Guest-autogenerated-group
- Redirect URL: https://thessog.com

CLI command :

config firewall policy

edit 2

set name "Guest-to-Internet"

set srcintf "VLAN_GUEST" "GuestSSID"

set dstintf "virtual-wan-link"

set action accept

set srcaddr "net_VLAN_GUEST address"

set dstaddr "all"

set schedule "always"

set service "ALL"

set utm-status enable

set ssl-ssh-profile "certificate-inspection"

set webfilter-profile "default"

set logtraffic all

set nat enable

set groups "Guest-autogenerated-group"

next

end

Step 5: Configure DHCP Server

Same as Step 6 in Interface-Based configuration

Key Differences

Interface-Based:

• Captive portal is configured directly on the VLAN interface

• Authentication occurs before any policy evaluation

• Simpler configuration for basic guest access

Policy-Based:

• Captive portal is configured in the firewall policy

• More granular control over traffic flow

• Better for complex environments with multiple policies

• Requires "Multiple Interface Policies" feature

Verification Steps

1. Connect to the Guest SSID

2. Verify redirection to captive portal

3. Test guest account creation (if using guest management)

4. Confirm internet access after authentication

5. Check logs under Log & Report > Forward Traffic