Setting up a captive portal on Fortinet firewalls transforms your guest WiFi into a customer engagement and marketing platform. By integrating Spotipo with your Fortinet device, you can collect guest emails, offer social login options, enable paid WiFi access, and manage bandwidth—all while maintaining enterprise-grade security.
This guide walks you through configuring your Fortinet firewall to work with Spotipo's cloud authentication system using RADIUS. The setup involves configuring RADIUS servers, user groups, authentication settings, and firewall policies to create a seamless guest WiFi experience.
What you'll accomplish:
Configure RADIUS authentication and accounting servers
Set up user groups and captive portal settings
Create firewall policies for guest traffic and DNS access
Enable dynamic bandwidth shaping for authenticated users
What you'll need:
Fortinet firewall with admin access and CLI access
RADIUS server details from your Spotipo account
Active Spotipo account (start free trial)
Important: This configuration requires CLI access to properly set up RADIUS accounting and Change of Authorization (CoA) features that enable bandwidth control.
Create Fortinet Site in Spotipo
A Site represents each location. A site can have multiple routers (of the same type)
Go to Site Selector on the top right corner and use the Create A New location button. Select the device type as Fortinet.
Find Fortinet Settings in Spotipo
Once your site has been created, locate the Fortinet Config screen under settings. Here you will be presented with configuration details necessary to configure your Fortinet router with Spotipo.
Configure Fortinet Router
RADIUS Server Configuration
First step in configuring your router is to go into Users & Authentication -> RADIUS Servers . From here, click on Create new button. From there, enter the RADIUS Server's IP address and Secret generated on your Spotipo site's configuration page.
NOTE: Once you've entered data for your RADIUS server, a pop-up saying "Invalid Secret for the server" will appear. You can ignore that message
Once you've entered the configured the necessary details for the RADIUS server, open your CLI terminal, by clicking the Edit in CLI button.
In CLI, copy the following commands:
set acct-interim-interval 300
set radius-coa enable
config accounting-server
edit 1
set status enable
set server "<FROM SPOTIPO>"
set port 1813
set secret <your_secret>
next
end
NOTE: Make sure that "set server" and "set secret" lines match with your specific data generated in Spotipo
Without this step, you will experience issues in communicating with our RADIUS server.
User Group Configuration
Next up, we need to configure User groups. To do that, go to User & Authentication -> User Groups and once again, create a new User Group by clicking on the Create New button.
When creating a new user group, set type as Firewall. Under remote groups, Add a Radius server group that you've created in the last step.
Authentication Settings Configuration
Under User & Authentication -> Authentication Settings you need to set the Captive portal type to FQDN, and enable captive portal. Also set the address of captive portal to app.spotipo.com.
Also, set protocol support to both HTTP and HTTPS.
Configure Correct Interface
Next step is located under Network->Interfaces. This will enable the Captive portal on the desired interface.
Select the desired interface that you'd like to use (You can do this for both LAN or VLAN interfaces) and click the Edit button.
In the newly opened screen, navigate to Security mode, enable it and set it to Captive portal.
Under Authentication portal paste the URL generated by Spotipo. Use that same URL in the Redirect after Captive Portal field.
Make sure to set the User group to the one we've created for this setup as well.
Under Exempt destinations/services create a new list for Spotipo servers. In that list, set FQDN to app.spotipo.com . Make sure to use that list for exempt destinations.
Configure Firewall policies
Spotipo needs to create a few firewall policies to give guests the optimal experience without compromising safety. We need to give users access to services such as DNS, without users having to log in first, etc.
Navigate to Policy & Objects->Firewall Policy . From there, press Create New button.
Set the parameters as following:
Name: Guest DNS allow (you can change it)
Incoming interface: lan
Outgoing interface: wan
Source: lan
Destination: all (you can make this more strict if you want to use specific DNS servers)
Schredule: always
Service: DNS
Action:Accept
Also move to rule toward the top of your list, so it doesn't get blocked by accident.
Now we need to create antoher rule. This one is for allowing traffic from guest network.
Name: Spotipo guest traffic allow (you can change it)
Incoming interface: lan
Outgoing interface: wan
Source: lan
Destination: all (you can make this more strict if you have pre configured firewall rules)
Schredule: always
Service: all (You can make this more strict by allowing services only up to your preference)
Action:Accept
NAT: Enabled
Log Allowed Traffic: All sessions
Also move to rule toward the top of your list, so it doesn't get blocked by accident.
Save the rule first, then open it again, and use the Edit in CLI button
Next up, we need to open the CLI terminal for this specific firewall rule. To do so, while your rule editor is open, click the Edit in CLI button.
In the CLI terminal, use these commands:
set groups "Spotipo Guest Users"
set dynamic-shaping enable
set comments "RADIUS accounting and bandwidth shaping for authenticated users"
next
end
Your Fortinet Captive Portal Is Now Live
Once your configuration is complete and the portal appears when connecting to your configured interface, guests will authenticate seamlessly—and you can start capturing WiFi guest data, running marketing campaigns, or offering paid WiFi access through your Fortinet network.
What to do next:
Customize your splash page design in Spotipo dashboard to match your branding
Set up email marketing integrations to automatically sync guest contacts
Configure bandwidth tiers to offer premium WiFi access packages
Common Fortinet setup issues:
"Invalid Secret" error: This warning can be ignored when configuring the RADIUS server initially
Portal not appearing: Verify app.spotipo.com is in your exempt destinations list
Bandwidth shaping not working: Ensure dynamic-shaping is enabled in the guest traffic firewall rule via CLI
Authentication failures: Check that RADIUS secret and server IP match exactly with Spotipo settings
Still having issues with your Fortinet configuration? Contact support via chat or email us at [email protected], we'll help troubleshoot your specific Fortinet firewall setup.