Fortinet black logo

Administration Guide

Captive portal policies

Captive portal policies

There are two types of captive portal policies:

  • Allow captive portal access: Presents a captive portal login page when end-users' HTTP requests contain parameters or values that meet the pre-defined criteria.
  • Deny captive portal access: Blocks end-users from accessing a captive portal login page if their HTTP request contains parameters or values that meet the pre-defined criteria.
To configure an allow access captive portal policy:
  1. Go to Authentication > Portals > Policies, click Captive portals and Create New.
    The Captive Portal Policy Creation Wizard is launched.
  2. Enter the following information:
    Policy type Specify the name and type of the portal policy.

    Name

    Enter a name for the policy.

    Description

    Optionally, enter a description of the policy.

    Type

    Select Allow captive portal access and choose a portal.

    Portal selection criteria Specify the necessary criteria for presenting this captive portal to an end user.

    Additional source criteria

    Redirects to this captive portal must contain parameters that meet all of the criteria included here. For example, a condition to restrict the portal to users from subnet 192.168.1.0/24 would be:

    • HTTP parameter = userip
    • Operator = [ip]in_range
    • Value = 192.168.1.0/24

    Access points

    Select the access points used to access the captive portal.

    RADIUS clients

    Select the RADIUS clients to associate with this portal policy.

    Authentication type Specify the type of end-user authentication used by the portal.

    Authentication type

    Select either Password/OTP or MAC authentication.

    • Password/OTP Authentication: Selected by default, this option requires authentication with user account credentials (local or remote) or with social site credentials:
      • Local/remote user: Credentials are verified against one of the local or remote user accounts.
      • Social users: Authentication with social site credentials (OAUTH), phone number, or email. Successful authentication creates a social user account containing details about the third-party account.
    • MAC Authorization: The access point/NAS can attempt a MAC authentication bypass (MAB) prior to redirecting to the captive portal. If the MAB is successful, the access point/NAS provides network access without redirecting to the captive portal.
    Identity sources Specify the identity sources against which to authenticate end users.

    Social Users

    Enable authorized redirects to social platforms and specify if phone or email verification is required.

    This setting is only available for Password/OTP Authentication when Social Users is enabled in Authentication type.

    Username format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username

    This setting is only available for Password/OTP Authentication.

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Select whether or not to use Windows AD domain authentication.
    • Edit the group filter as needed to filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.

    This setting is only available for Password/OTP Authentication.

    Authentication factors Specify which authentication factors to verify.

    Authentication type

    Select one of the following:

    • Mandatory two-factor authentication: Two-factor authentication is required for every user.
    • Verify all configured authentication factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
    • Password-only authentication: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
    • Token-only authentication: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.

    This setting is only available for Password/OTP Authentication.

    User IP address parameter

    Select the user IP address parameter.

    Use userip for FortiGate/FortiWiFi.

    Adaptive Authentication

    Enable this option if you would like to have certain users bypass OTP validation, so long as they belong to a trusted subnet.

    Select All trusted subnets to add all the available trusted subnets.

    You can specify the trusted subnets by selecting Specify trusted subnets and clicking the pen icon. This opens a window where you can choose from a list of available trusted subnets.

    Adaptive Authentication is available only for the following authentication types:

    • Mandatory two-factor authentication

    • Verify all configured authentication factors

    MAC address parameter

    Select the MAC address parameter.
    Use usermac for FortiGate/FortiWiFi, station_mac for WortiWLC, or client_mac for Cisco WLC.

    Restrict access based on end-user MAC address

    Select the authorized MAC device groups.

    Authorized groups must be first created under Authentication > User Management > User Groups, where the Type is MAC.

    Advanced Options

    Allow FortiToken Mobile push notifications

    Toggle on/off FTM Push notifications for RADIUS users. This setting is only controlled here on a per RADIUS client basis, not for specific users.

    This setting is only available for Password/OTP Authentication.

    Application name for FTM push notification

    Enter the client application name. This field is displayed on the FortiToken app.

    When creating a new policy or upgrading to FortiAuthenticator 6.3, the policy name is the default client application name.

    Resolve user geolocation from their IP address

    Enable to resolve the user geolocation from their IP address (if possible).

    Reject usernames containing uppercase letters

    Enable this setting to reject usernames that contain uppercase letters.

    This setting is only available for Password/OTP Authentication.

    RADIUS response Specify the content of the RADIUS authentication response based on the outcome of the authentication.
  3. Click Save and exit.
To configure a deny access captive portal policy:
  1. Go to Authentication > Portals > Policies, click Captive portals and Create New.
    The Captive Portal Policy Creation Wizard is launched.
  2. Enter the following information:
    Policy type Specify the name and type of the portal policy.

    Name

    Enter a name for the policy.

    Description

    Optionally, enter a description of the policy.

    Type

    Select Deny captive portal access.

    Portal selection criteria Specify the necessary criteria for denying captive portal access to an end-user.

    Additional source criteria

    Redirects to this captive portal must contain parameters that meet all of the criteria included here. For example, a condition to restrict the portal to users from subnet 192.168.1.0/24 would be:

    • HTTP parameter = userip
    • Operator = [ip]in_range
    • Value = 192.168.1.0/24

    Access points

    Select the portal access points.

    End-users must be redirected to the captive portal from one of these access points/NAS.

    Browser response

    The FortiAuthenticator presents an error message to end-users' browsers when captive portal access is denied.

    You can customize the browser response error message at Authentication > Self-service Portal > Replacement Message > System > 403 Forbidden.

  3. Click Save and exit.

Captive portal policies

There are two types of captive portal policies:

  • Allow captive portal access: Presents a captive portal login page when end-users' HTTP requests contain parameters or values that meet the pre-defined criteria.
  • Deny captive portal access: Blocks end-users from accessing a captive portal login page if their HTTP request contains parameters or values that meet the pre-defined criteria.
To configure an allow access captive portal policy:
  1. Go to Authentication > Portals > Policies, click Captive portals and Create New.
    The Captive Portal Policy Creation Wizard is launched.
  2. Enter the following information:
    Policy type Specify the name and type of the portal policy.

    Name

    Enter a name for the policy.

    Description

    Optionally, enter a description of the policy.

    Type

    Select Allow captive portal access and choose a portal.

    Portal selection criteria Specify the necessary criteria for presenting this captive portal to an end user.

    Additional source criteria

    Redirects to this captive portal must contain parameters that meet all of the criteria included here. For example, a condition to restrict the portal to users from subnet 192.168.1.0/24 would be:

    • HTTP parameter = userip
    • Operator = [ip]in_range
    • Value = 192.168.1.0/24

    Access points

    Select the access points used to access the captive portal.

    RADIUS clients

    Select the RADIUS clients to associate with this portal policy.

    Authentication type Specify the type of end-user authentication used by the portal.

    Authentication type

    Select either Password/OTP or MAC authentication.

    • Password/OTP Authentication: Selected by default, this option requires authentication with user account credentials (local or remote) or with social site credentials:
      • Local/remote user: Credentials are verified against one of the local or remote user accounts.
      • Social users: Authentication with social site credentials (OAUTH), phone number, or email. Successful authentication creates a social user account containing details about the third-party account.
    • MAC Authorization: The access point/NAS can attempt a MAC authentication bypass (MAB) prior to redirecting to the captive portal. If the MAB is successful, the access point/NAS provides network access without redirecting to the captive portal.
    Identity sources Specify the identity sources against which to authenticate end users.

    Social Users

    Enable authorized redirects to social platforms and specify if phone or email verification is required.

    This setting is only available for Password/OTP Authentication when Social Users is enabled in Authentication type.

    Username format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username

    This setting is only available for Password/OTP Authentication.

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Select whether or not to use Windows AD domain authentication.
    • Edit the group filter as needed to filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.

    This setting is only available for Password/OTP Authentication.

    Authentication factors Specify which authentication factors to verify.

    Authentication type

    Select one of the following:

    • Mandatory two-factor authentication: Two-factor authentication is required for every user.
    • Verify all configured authentication factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
    • Password-only authentication: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
    • Token-only authentication: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.

    This setting is only available for Password/OTP Authentication.

    User IP address parameter

    Select the user IP address parameter.

    Use userip for FortiGate/FortiWiFi.

    Adaptive Authentication

    Enable this option if you would like to have certain users bypass OTP validation, so long as they belong to a trusted subnet.

    Select All trusted subnets to add all the available trusted subnets.

    You can specify the trusted subnets by selecting Specify trusted subnets and clicking the pen icon. This opens a window where you can choose from a list of available trusted subnets.

    Adaptive Authentication is available only for the following authentication types:

    • Mandatory two-factor authentication

    • Verify all configured authentication factors

    MAC address parameter

    Select the MAC address parameter.
    Use usermac for FortiGate/FortiWiFi, station_mac for WortiWLC, or client_mac for Cisco WLC.

    Restrict access based on end-user MAC address

    Select the authorized MAC device groups.

    Authorized groups must be first created under Authentication > User Management > User Groups, where the Type is MAC.

    Advanced Options

    Allow FortiToken Mobile push notifications

    Toggle on/off FTM Push notifications for RADIUS users. This setting is only controlled here on a per RADIUS client basis, not for specific users.

    This setting is only available for Password/OTP Authentication.

    Application name for FTM push notification

    Enter the client application name. This field is displayed on the FortiToken app.

    When creating a new policy or upgrading to FortiAuthenticator 6.3, the policy name is the default client application name.

    Resolve user geolocation from their IP address

    Enable to resolve the user geolocation from their IP address (if possible).

    Reject usernames containing uppercase letters

    Enable this setting to reject usernames that contain uppercase letters.

    This setting is only available for Password/OTP Authentication.

    RADIUS response Specify the content of the RADIUS authentication response based on the outcome of the authentication.
  3. Click Save and exit.
To configure a deny access captive portal policy:
  1. Go to Authentication > Portals > Policies, click Captive portals and Create New.
    The Captive Portal Policy Creation Wizard is launched.
  2. Enter the following information:
    Policy type Specify the name and type of the portal policy.

    Name

    Enter a name for the policy.

    Description

    Optionally, enter a description of the policy.

    Type

    Select Deny captive portal access.

    Portal selection criteria Specify the necessary criteria for denying captive portal access to an end-user.

    Additional source criteria

    Redirects to this captive portal must contain parameters that meet all of the criteria included here. For example, a condition to restrict the portal to users from subnet 192.168.1.0/24 would be:

    • HTTP parameter = userip
    • Operator = [ip]in_range
    • Value = 192.168.1.0/24

    Access points

    Select the portal access points.

    End-users must be redirected to the captive portal from one of these access points/NAS.

    Browser response

    The FortiAuthenticator presents an error message to end-users' browsers when captive portal access is denied.

    You can customize the browser response error message at Authentication > Self-service Portal > Replacement Message > System > 403 Forbidden.

  3. Click Save and exit.