This the the topology.
The wireless client can connect to SSID and access the portal page, but after entering the user name and password and clicking login, an error appears on the portal page and authentication fails.
Use the wireshark capture packets on the public interface of AC. We can see the TCP retransmission Packts.
When the client login on the portal page, the client will send the http packets to AC to tell AC the username and password and other information. Before sending the http packets, it should do TCP three handshakes with AC. When sending the third time handshake packet, AC doesnot receive the packet. So there are tcp restransmission packets.
Through inspection, it is found that the gateway of the wireless client is the router from Fortinet. It didn't forward the third time handshake packet.
Change the gateway of wireless client to H3C AC. AC received the complete TCP packets. And user can login on the portal page.
Login before you can operate!login