After a rough time with TP-Link enterprise access point and controller. I decided to change all of the access points in my home to Fortinet system. Choosing a Fortinet system are able to control access point in Fortigate firewall also the hardware process is much stronger to handle devices.
Setup a captive portal Wifi for FortiAP
Using a captive portal provided a website auth and auto session kill when the user is not using. Different than WPA2 personal or enterprise, those password and account information to login to the WiFi system will not store in local device storage.
Picture & Information ref: http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/
The website page is a script that gathers the user logon information and send back to FortiGate with format messsage
https://<FGT_IP>:1003/fgtauth with data
Add a local user and local group
User&Device> User Definition > Create New > Local > Username/Password
User&Device> User Group > Create New > Firewall > Add User
Enforce HTTPS authentication.
Enable use of HTTPS for authentication so that user credentials are communicated securely. (If you are not using external portal you can skip this section)
config user setting
set auth-secure-http enable
Create the WiFi network
WiFi Controller > WiFi Network > SSID
When you are using the captive portal, it is only available to use tunnel traffic mode.
Enable DHCP for clients.
Configure external captive portal security.
Do not include “http://” or “https://” in the captive portal URL.
<policy_id> from ID column of the policy list (Policy & Objects > Policy > IPv4).
In the CLI, enable bypass of the captive portal so that the user can make the initial contact with the external server.
config firewall policy edit <policy_id> set captive-portal-exempt enable end
Create the Internet access security policy
Go to Policy & Objects > Policy > IPv4.
Set up an incoming WiFi traffic to assess outgoing internet to access internet.
Connect and authorize the FortiAP
Read this article: http://blog.elogy.org/?p=1168&preview=true
(The web server certificate must be verifiable, or the browser will show warnings.)