LAN Captive portal — beginners Guide

InfoSec Write-ups – Medium–

LAN Captive portal — beginners Guide

Captive Portals are a common security procedure, used consistently on your wifi network for guests or even when outsource employees work within your internal LAN, connecting through ethernet wall sockets.

One way to do so is to enforce it by creating a VLAN ( virtual LAN ) on your subnet interface, apply a captive portal on that interface, and create an outsource employed group

In our current topology, We will not use LDAP For our outsource group ( although it better to do so and more reasonable, but let’s make things simpler ) we will use our local FortiGate firewall database

Our Topology

Quite a simple Topology, I am using cisco SMB switch for our Marketing LAN, and My FortiGate is connected to our ISP router

So let's Start

On your FortiGate admin page, choose network — -interfaces

The opened screen will list all Interfaces on your Fortigate firewall, we will choose to apply our captive portal to our Marketing LAN, but you can choose to do it, on any LAN you wish

Our Marketing LAN is Connected to Port 2 and the subnet is

Employees on that LAN are connected through the switch which is connected To the Fortigate Firewall, Currently with No VLAN”s

Let’s create the VLAN that will be used to connect our outsource employees to the network, so move to the create a new interface, on our network interface page, and choose an interface

The New Page that will be opened will allow you to create new interfaces ( Software switch, loopback, SSID…) we will focus on our VLAN Interface, which will allow us to create another broadcast domain running on our physical port 2

Let’s configure our new VLAN

Name: outsource

Alias: let’s give it the same number as our Vlan ID which will be 100

Type: we will choose Vlan out of all choices

Interface: here we choose the physical interface that will occupy our VLAN, in our case it is Marketing port 2

VLAN ID: that’s the 802.1q tagging of our VLAN as seen by the switch

Role: we will choose LAN, as it will be used as a local area network for our outsource employees

Now remember, our VLAN, is another Local area network of itself, so let’s assign a new IP address at the subnet, a DHCP service, so our employees will lease IP’s and administrative access using HTTPS and SSH

Let’s click OK for now, we will get back to our VLAN interface again.

On the interface page, you will see the + sign next to our marketing interface

Click on the + sign, and you will see our new outsource VLAN 100 at the

Now let’s create a group for our outsource employees, as said, we will not use LDAP or any other remote authentication servers, we will use our local firewall database

Move over to users and device — -user definition

Here you will create your outsource employees, lets create two employees

Click New

When LocalUser chose, click Next

Choose a user name and password, that will be used when your employees, will authenticate, through the captive portal

Click next, you will have the option to add an email and two-factor authentication using tokens, lets just add an email

Click submit on the next page, we will assign this employee to a dedicated group soon

Create as many users as you need, in the end, you will see, them on the user’s page

Now let’s assign the new Users to a dedicated group, this group will be used in our captive portal. click user groups — -create new

Name your group and click on the Members + sign, here you will add the new users that you created

Click OK, anew group was created

Now let’s get back to our interface page, choose the VLAN, We have created, and click Edit

Scroll down to the network part, where you will see the security button, enable it

Choose Authentication portal — -Local ( if you choose External, it will ask you to refer to an external server

User access — choose restricted to groups

Now let's choose our user group, click on the + sign next to user groups and choose the group, that you have just created

You can also exempt sources, that you do not want them to be directed to the captive portal page. you will need to create a firewall address object, as shown in a previous article I wrote

Press OK. that’s it, you have created your first captive portal

You will need to make sure, that your switch supports Vlan’s, and to assign the relevant VLAN100 on that switch also, besides that, you’re done, your FortiGate port2, has become a Trunk port, that can except native VLAN traffic, and your outsource VLAN 100 traffic

You can subscribe to my channel at or join my FortiGate courses at

LAN Captive portal — beginners Guide was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s