Use case
To configure multiple captive portals on FortiGate devices—each tied to a specific interface or SSID—you need to properly set the portal-addr parameter for each portal configuration.
The portal-addr must be a Fully Qualified Domain Name (FQDN) that resolves to the IP address of the interface associated with the corresponding SSID. It's essential that the client device can resolve this FQDN using the DNS server specified in the DHCP scope of that network. This ensures the captive portal page is reachable during the redirection process.
In FortiOS versions before 7.0.6, configuring the auth-portal-addr globally was possible.
config firewall auth-portal
set portal-addr "your_fqdn"
end
For instance
This can create challenges when configuring or broadcasting multiple captive portals.
For instance, you might want to deploy captive portals on both port 1 and port 2.
- IP address of port1 is 192.168.29.1
- IP address of port2 is 192.168.30.1
A client connected to port1 will hit the captive portal and be redirected to your_fqdn (e.g., guest.poc.cloudi-fi.net), which has to be resolved as the IP address of port2 (e.g., 192.168.29.1).
A client connected to port 2 will hit the captive portal and be redirected to your_fqdn (e.g., guest.poc.cloudi-fi.net), which has to be resolved as the IP address of port 3 (e.g., 192.168.30.1).
Therefore, a DNS solution is needed to resolve guest.poc.cloudi-fi.net to one of the interfaces' IP addresses (either port1 or port2).
An improvement was introduced starting with FortiOS 7.0.6, allowing the authentication portal addresses to be configured under the specific interfaces set up as captive portals.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Your Cloudi-FI Guest SSID/Subnet should already be configured to apply the following procedure. If you haven’t configured your Cloudi-FI Guest SSID yet, please follow this article: How to set up Cloudi-Fi Captive Portal in FortiOS
- A dedicated SSL certificate has to be issued and installed (see steps 1, 2, 3 in How to enable HTTPS Redirection to avoid web-browser warning (Fortigate))
- Access to the DNS server specified in the DHCP scope of your Guest network
- FortiOS starting from 7.0.6
Enabling Multiple SSID Captive Portals in FortiGate WiFi Controller
1. Configure SSIDs on FortiGate
Go to Wifi & Switch Controller > SSIDs, select your first SSID, and open the CLI console.
Then run the following commands :
config system interface
edit "SSID_1"
set auth-portal-addr "port1.your_fqdn"
end
For instance
config system interface
edit "TP LINK CM"
set auth-portal-addr "guest.poc.cloudi-fi.net"
end
Results
Replicate this step for your second interface
For instance
config system interface
edit "TP LINK CM_2"
set auth-portal-addr "fortifi.poc.cloudi-fi.net"
end
Results
2. Update DNS Record
In the DNS server specified in the DHCP scope of your Guest network, update your exisiting DNS Record
With 1 Guest SSID with Cloudi-Fi captive portal authentication
fqdn_1 <-> Interface IP of your WiFi SSID_1
With more than Guest SSID with Cloudi-Fi captive portal authentication
fqdn_1 <-> Interface IP of your WiFi SSID_1
fqdn_2 <-> Interface IP of your WiFi SSID_2
You can easily verify that DNS records have been correctly updated by following this process.
Connect to the SSID routed to your 1st interface and run the following command :
nslookup port1.your_fqdn
For instance
nslookup guest.poc.cloudi-fi.net
Results on client PC connected to "TP-LINK CM" :
Name: guest.poc.cloudi-fi.net
Address: 192.168.169.1
Replicate the same command for your 2nd interface and run the following command.
Results on client PC connected to "TP-LINK CM_2" :
Name: fortifi.poc.cloudi-fi.net
Address: 10.0.30.1
3. Update your Firewall policy
Go to Policy & Objects > Firewall Policy and update your existing policies (configured in How to set up Cloudi-Fi Captive Portal in FortiOS / 6. Configure the security policy) to add all of your SSIDs interfaces (where Cloudi-Fi captive portal is configured).
If you cannot add multiple sources, you have to go to System > Feature Visibility and enable "Multiple Interface Policies".
|
ID |
Name |
Source |
Destination |
Service |
NAT |
Action |
Exempt from the captive portal |
| 1 |
DNS |
SSID interface_1 SSID interface_2 ... |
DNS Servers |
DNS |
Depends on your configuration |
Accept |
Yes |
| 2 |
Allow-Guest |
SSID interface_1 SSID interface_2 ... |
Outside interface |
HTTP, HTTPS |
Depends on your configuration |
Accept |
No |
| 3 |
Guest-Deny-All (Optional*) |
SSID interface_1 SSID interface_2 ... |
RFC1918: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 |
ALL |
Depends on your configuration |
Deny |
No |
Enabling Multiple SSID Captive Portals in FortiGate interface
1. Configure Interfaces on FortiGate
Go to Network > Interface, select your first interface, and open the CLI console.
Then run the following commands :
config system interface
edit "port1"
set auth-portal-addr "port1.your_fqdn"
end
For instance
config system interface
edit "TP LINK CM"
set auth-portal-addr "cm1.poc.cloudi-fi.net"
end
Results
Replicate this step for your second interface
For instance
config system interface
edit "TP LINK CM_2"
set auth-portal-addr "cm2.poc.cloudi-fi.net"
end
Results
2. Update DNS Record
In the DNS server specified in the DHCP scope of your Guest network, update your exisiting DNS Record
With 1 Guest SSID with Cloudi-Fi captive portal authentication
fqdn_1 <-> IP of interface_1
With more than Guest SSID with Cloudi-Fi captive portal authentication
fqdn_1 <-> IP of interface_1
fqdn_2 <-> IP of interface_2
You can easily verify that DNS records have been correctly updated by following this process.
Connect to the SSID routed to your 1st interface and run the following command :
nslookup port1.your_fqdn
For instance
nslookup cm1.poc.cloudi-fi.net
Results on client PC connected to "TP-LINK CM" :
Name: cm1.poc.cloudi-fi.net
Address: 192.168.29.1
Replicate the same command for your 2nd interface and run the following command.
Results on client PC connected to "TP-LINK CM_2" :
Name: cm2.poc.cloudi-fi.net
Address: 192.168.30.1
3. Update your Firewall policy
Go to Policy & Objects > Firewall Policy and update your existing policies (configured in How to set up Cloudi-Fi Captive Portal in FortiOS / 6. Configure the security policy) to add all of your firewall interfaces (where Cloudi-Fi captive portal is configured).
If you cannot add multiple sources, you have to go to System > Feature Visibility and enable "Multiple Interface Policies".
|
ID |
Name |
Source |
Destination |
Service |
NAT |
Action |
Exempt from the captive portal |
| 1 |
DNS |
interface_1 interface_2 ... |
DNS Servers |
DNS |
Depends on your configuration |
Accept |
Yes |
| 2 |
Allow-Guest |
interface_1 interface_2 ... |
Outside interface |
HTTP, HTTPS |
Depends on your configuration |
Accept |
No |
| 3 |
Guest-Deny-All (Optional*) |
interface_1 interface_2 ... |
RFC1918: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 |
ALL |
Depends on your configuration |
Deny |
No |
What's next?
Congratulations on enabling dual captive portal functionality with your FortiGate Firewall! For additional details, visit: Fortinet Technical tips.