Welcome to Purple Support

Fortinet (FortiGate)

  • Updated

IMPORTANT: You need FortiOS v5.6 or above in order to proceed.


Please log in to your FortiGate web interface and click User & Device > RADIUS Servers on the left menu. Click Create New and configure with:

  • Name: guestradius
  • Primary Server: *insert radius_server here*
  • Primary Shared Secret: *insert radius_secret here*
  • Secondary Server: *insert radius_server2 here*
  • Secondary Shared Secret: *insert radius_secret here*
  • Authentication Method: Specify
  • Method: PAP

Click OK to Save. Next, click on User Groups and Create New. Configure with:

  • Name: guestgroup
  • Type: Firewall

Under Remote groups click Create New and under Remote Server choose guestradius. Click OK to Save.

Next, click Policy & Objects > IP. Click Create New > Address. Configure with:

  • Category: Address
  • Name: guestonline
  • Type: IP/Netmask
  • Subnet / IP Range:
  • Interface: any
  • Show in Address List: Enabled

Click OK to Save. Next, click Create New > Address again and configure with:

  • Category: Address
  • Name: *insert access_domain here*
  • Type: FQDN
  • FQDN: *insert access_domain here*

Click OK to Save

For each domain below you need to do as per above.

  • r1-portal.venuewifi.com
  • r2-portal.venuewifi.com
  • r3-portal.venuewifi.com
  • payment-r1.venuewifi.com
  • payment-r2.venuewifi.com
  • payment-r3.venuewifi.com
  • api.openweathermap.org
  • d1ldbb6wxu8wdm.cloudfront.net
  • api.stripe.com

Additionally. if you wish to support social network logins, you also need to add the domains below for each network you plan to support.

Facebook facebook.com
Twitter twitter.com
LinkedIn linkedin.com
Instagram instagram.com
Weibo weibo.com
VKontakte vk.me


Next, under Addresses click Create New > Address Group. Configure with:

  • Category: IPv4 Group
  • Group Name: guestwhitelist
  • Members: click the + button and select all the domains you added earlier.

Click OK to Save.

Next, click WiFi & Switch Controller > SSID on the left. Click Create New > SSID. Configure with:

  • Interface Name: guestwifi
  • Type: WiFi SSID
  • Traffic Mode: Tunnel to Wireless Controller
  • Address:
  • DHCP Server: Enabled
  • DNS Server: Specify:
  • SSID: Guest WiFi (or whatever you wish)
  • Security Mode: Captive Portal
  • Portal Type: Authentication
  • Authentication Portal: External: *insert access_url here*
  • User Groups: guestgroup
  • Broadcast SSID: Enabled
  • Block Intra-SSID Traffic: Enabled
  • Exempt Destinations/Services: guestwhitelist
  • Redirect after Captive Portal: Specific URL: *insert redirect_url here*

Click OK to Save. Next, under IPv4 Policy click Create New. Configure with:

  • Name: guestwifi
  • Incoming Interface: Guest WiFi (gestwifi)
  • Outgoing Interface: wan1 (your WAN connection)
  • Source: all
  • Destination Address: guestwhitelist
  • Schedule: always
  • Service: ALL
  • Action: ACCEPT
  • Enable this policy: Enabled

Click OK to Save. Click Create New again and configure with:

  • Name: guestwifionline
  • Incoming Interface: Guest WiFi (gestwifi)
  • Outgoing Interface: wan1 (your WAN connection)
  • Source: guestonline
  • Destination Address: all
  • Schedule: always
  • Service: ALL
  • Action: ACCEPT
  • Enable this policy: Enabled

Click OK to Save

Share online:
Was this article helpful?
0 out of 0 found this helpful