Describes how to configure your Fortinet Fortigate to activate the Cloudi-Fi splash page feature
Learn how to launch the cloudi-fi captive portal natively from Fortigate:
This article describes FortiGate captive portal configuration. Cloudi-Fi can launch the captive portal natively from the FortiGate, avoiding any local setup in any WiFi infrastructure. The only requirement is that the guest traffic is routed to the FortiGate as described in the diagram and workflow below:
Fortigate integration with Cloudi-Fi captive portal diagram:

Cloudi-Fi captive portal SSID and Radius configuration diagram:

Please note that as an alternative, you can configure Cloudi-Fi with IPSEC/GRE tunnels as described in WAN deployment KB.
Cloudi-Fi cloud captive portal deployment configuration steps:
-
Get Cloudi-Fi required URL and RADIUS secret
-
Create Cloudi-Fi Radius Server
-
Configure Captive Portals Settings
3a. WiFi Deployment
3b. Interface Deployment -
Enable HTTP auth-type
-
Configure Security Policy
Validated with FortiOS 6.2.5 build 1142
1) Get Cloudi-Fi required URL and RADIUS secret
Go to your Cloudi-Fi administration interface and get the URL for external authentication.
Go to Locations Menu
Click on the menu button of the location and select "Copy Splash page URI"
-
Copy the URI
-
Transform the URI as shown in the following screenshot

Go to the chat interface and ask for your Radius secret
-
Copy the secret as well
2) Create the Cloudi-Fi Radius server
Go to your FortiGate administration interface:
Go to User & Device RADIUS Servers Create New :
-
Name: Cloudi-Fi_Radius_Srv
-
Authentication Method: Default
-
IP/Name: radius.cloudi-fi.net
-
Secret: Provided by the Cloudi-Fi Support team
-
Save
Go to User & Device User Groups Create New :
-
Name: Cloudi-Fi_Radius_group
-
Type: Firewall
-
Remote Groups: Add Cloudi-Fi_Radius_Srv
-
Save
3) FortiGate Captive Portal configuration settings
Note: The Captive Portal feature can be enabled in two different ways with FortiGate, depending on your infrastructure:
-
In the FortiGate WiFi controller, if you have FortiAP (FortiGate WiFi Access Points)
-
In a FortiGate interface (physical or VLAN interface), if you have other WiFi vendors or want to enable a captive portal for wired users.
3a) Enable the Captive portal in FortiGate WiFi controller
If you have FortiAP and want to enable Cloudi-Fi in the Fortinet WiFi controller :
Go to WiFi & Switch Controller SSID Create New :
-
Provide a name and the mode (tunnel or bridge) and fill in the network information
-
WiFi settings :
-
Security mode: Captive Portal
-
Portail type: External Authentication
-
URL: https://login.cloudi-fi.net/start/CompanyKey/Location-ID?spentityid=spforti.com
-
User Groups: Cloudi-Fi_Radius_Group
-
Redirect after Captive Portal: Specific URL: https://login.cloudi-fi.net/success.php
-
Save
3b) Enable Captive Portal in FortiGate interface
If you want to enable the captive portal for your wireless and/or wired users and don't have FortiAP.
Note: Because the captive portal feature is enabled for all the traffic
of a specific interface, we recommend to have a dedicated interface
(physical or VLAN) for the Guest network.
Go to Networks Interfaces Edit the Guest interface:
Then go to the Network Section of the interface and enable Security Mode :
-
Security Mode: Captive Portal
-
Authentication Portal: External
-
URL: https://login.cloudi-fi.net/start/CompanyKey/Location-ID?spentityid=spforti.com
-
User Access: Restricted to Groups: Cloudi-Fi_Radius_group
-
Exempt destinations: Create an FQDN Object for:
-
login.cloudi-fi.net
- login-cn.cloudi-fi.net
-
guest-api-v1.cloudi-fi.net
-
cdn.cloudi-fi.net
-
-
Redirect after captive portal: https://login.cloudi-fi.net/success.php
-
Save
4) Enable HTTP auth-type
Users must first connect with a supported protocol to be redirected to the captive portal when enabling user authentication within a security policy such as a captive portal. As captive portal detection is based on HTTP, you must enable HTTP and HTTPS Auth-Type. Otherwise, the captive portal is not automatically displayed.
Go to User & Device Authentication Settings:
-
Supported protocols: Check HTTP and HTTPS
-
Save
To configure in CLI :
config user setting
set auth-timeout 5
set auth-type http https
end
5) Configure the Security Policy
To finalize the configuration, you must create security rules to allow an unauthenticated user to access the captive portal.
Go to Policy & Objects IPv4 Policy and create the below rules in the same order:
-
Rules for unauthenticated users :
Name |
Source |
Destination |
Service |
NAT |
Action |
DNS |
Guest interface |
DNS Servers |
DNS |
TBD |
Accept |
Walled Garden |
Guest interface |
FQDN_ CloudiFi |
HTTPS |
Yes |
Accept |
Cloudi-Fi's FQDN:
-
login.cloudi-fi.net
-
guest-api-v1.cloudi-fi.net
-
cdn.cloudi-fi.net
Once these rules are created, right-click on each, select "Edit in CLI" and copy/paste this command to bypass the captive portal authentication for the above rules.
set captive-portal-exempt enable
end
-
The rule for authenticated users:
Name |
Source |
Destination |
Service |
NAT |
Action |
Allow-Guest |
Guest interface |
Outside interface |
ALL |
Yes |
Accept |
Guest-Deny-All (Optional*) |
Guest interface |
RFC1918: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 |
ALL |
No |
Deny |
*The explicit deny rule is optional if your FortiGate Implicit Rule is already configured to Deny all the traffic.
If you need more information about our solutions integrated with Fortinet SD-WAN, you can visit our partner page.