This article applies if you use any WiFi infrastructure connected as a layer 2 to your Fortigate w/o Fortinet Access Points. If you are routing your WiFi, you should use our WAN deployment on the Fortigate.
Configuration steps:
Get Cloudi-Fi required URL and RADIUS secret
Create Cloudi-Fi Radius Server
Configure Captive Portals Settings
3a. WiFi Deployment
3b. Interface DeploymentConfigure Security Policy
Validated with FortiOS 6.2.5 build 1142
1) Get Cloudi-Fi required URL and RADIUS secret
Go to your Cloudi-Fi administration interface and get the URL for external authentication
Go to Locations Menu
Click on the menu button of the location and select "Copy Splash page URI"
Copy the URI
Transform the URI as shown in the following screenshot

Go to the chat interface and ask for your Radius secret
Copy the secret as well
2) Create the Cloudi-Fi Radius server
Go to your Fortigate administration interface.
Go to User & Device > RADIUS Servers > Create New :
Name : Cloudi-Fi_Radius_Srv
Authentication Method : Default
IP/Name : radius.cloudi-fi.net
Secret : Provided by Cloudi-Fi Support team
Save
Go to User & Device > User Groups > Create New :
Name : Cloudi-Fi_Radius_group
Type : Firewall
Remote Groups : Add Cloudi-Fi_Radius_Srv
Save
3) Configure Captive Portal settings
Note: The Captive Portal feature can be enabled in two different ways with Fortigate, depending on your infrastructure:
In the Fortigate WiFi controller if you have FortiAP (Fortigate WiFi Access Points)
In a Fortigate interface (physical or VLAN interface) if you have other WiFi vendor or if you want to enable captive portal for wired users.
3a) Enable Captive portal in Fortigate WiFi controller
If you have FortiAP and want to enable Cloudi-Fi in the Fortinet WiFi controller :
Go to WiFi & Switch Controller > SSID > Create New :
Provide a name, the mode (tunnel or bridge) and fill the network information
WiFi settings :
Security mode : Captive Portal
Portail type : External Authentication
URL : https://login.cloudi-fi.net/start/CompanyKey/Location-ID?spentityid=spforti.com
User Groups : Cloudi-Fi_Radius_Group
Redirect after Captive Portal : Specific URL : https://login.cloudi-fi.net/success.php
Save
3b) Enable Captive Portal in Fortigate interface
If you want to enable the captive portal for your wireless and/or wired users and you don't have FortiAP.
Note: Because the captive portal feature is enabled for all the traffic
of a specific interface, we recommend to have a dedicated interface
(physical or VLAN) for the Guest network.
Go to Networks > Interfaces > Edit the Guest interface
Then go to the Network Section of the interface and enable Security Mode :
Security Mode : Captive Portal
Authentication Portal : Eternal
URL : https://login.cloudi-fi.net/start/CompanyKey/Location-ID?spentityid=spforti.com
User Access : Restricted to Groups : Cloudi-Fi_Radius_group
Exempt destinations : Create a FQDN Object for *.cloudi-fi.net
Redirect after captive portal : https://login.cloudi-fi.net/success.php
Save
4) Configure the Security Policy
To finalize the configuration, you have to create security rules to allow unauthenticated user to access the captive portal.
Go to Policy & Objects > IPv4 Policy and create below rules in the same order:
Rules for unauthenticated users :
Name | Source | Destination | Service | NAT | Action |
DNS | Guest interface | DNS Servers | DNS | TBD | Accept |
Walled Garden | Guest interface | FQDN_ CloudiFi | HTTPS | Yes | Accept |
Once these rules created, right click on each rule and select "Edit in CLI" and copy/paste this command in order to bypass the captive portal authentication for above rules.
set captive-portal-exempt enable
end
Rule for authenticated user :
Name | Source | Destination | Service | NAT | Action |
Allow-Guest | Guest interface | Outside interface | ALL | Yes | Accept |
Guest-Deny-All (Optionnal*) | Guest interface | RFC1918: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 | ALL | No | Deny |
*The explicit deny rule is optional if your Fortigate Implicit Rule is already configure to Deny all the traffic.