Configure multiple captive portals on FortiGate devices using different interfaces or SSIDs.
Use case
In FortiOS versions before 7.0.6, configuring the auth-portal-addr globally was possible.
config firewall auth-portal
set portal-addr "your_fqdn"
end
For instance
This can create challenges when configuring or broadcasting multiple captive portals. For instance, you might want to deploy captive portals on both port 1 and port 2.
- IP address of port1 is 192.168.29.1
- IP address of port2 is 192.168.30.1
A client connected to port1 will hit the captive portal and be redirected to your_fqdn (e.g., guest.poc.cloudi-fi.net), which has to be resolved as the IP address of port2 (e.g., 192.168.29.1).
A client connected to port 2 will hit the captive portal and be redirected to your_fqdn (e.g., guest.poc.cloudi-fi.net), which has to be resolved as the IP address of port 3 (e.g., 192.168.30.1).
Therefore, a DNS solution is needed to resolve guest.poc.cloudi-fi.net to one of the interfaces' IP addresses (either port1 or port2).
An improvement was introduced starting with FortiOS 7.0.6, allowing the authentication portal addresses to be configured under the specific interfaces set up as captive portals.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Your Cloudi-FI Guest SSID/Subnet should already be configured to apply the following procedure. If you haven’t configured your Cloudi-FI Guest SSID yet, please follow this article: How to set up Cloudi-Fi Captive Portal in FortiOS
- A dedicated SSL certificate has to be issued and installed (see steps 1, 2, 3 in How to enable HTTPS Redirection to avoid web-browser warning (Fortigate))
- FortiOS starting from 7.0.6
1. Configure Interfaces on FortiGate
Go to Network > Interface, select your first interface, and open the CLI console.
Then run the following commands :
config system interface
edit "port2"
set auth-portal-addr "port1.your fqdn"
endFor instance
config system interface
edit "TP LINK CM"
set auth-portal-addr "cm1.poc.cloudi-fi.net"
end
Results
Replicate this step for your second interface
For instance
config system interface
edit "TP LINK CM_2"
set auth-portal-addr "cm2.poc.cloudi-fi.net"
end
Results
2. Check results
Connect to the SSID routed to your 1st interface and run the following command :
nslookup port1.your fqdn
For instance
nslookup cm1.poc.cloudi-fi.net
Results on client PC connected to "TP-LINK CM" :
Name: cm1.poc.cloudi-fi.net
Address: 192.168.29.1
Replicate the same command for your 2nd interface and run the following command.
Results on client PC connected to "TP-LINK CM_2" :
Name: cm2.poc.cloudi-fi.net
Address: 192.168.30.1
What's next?
Congratulations on enabling dual captive portal functionality with your FortiGate Firewall! For additional details, visit: Fortinet Technical tips.