Technical Tip: How to troubleshoot HSTS captive portal error in Google Chrome

HTTP strict transport security (HSTS) is a web security standard that forces browsers to connect to websites using HTTPS instead of HTTP. 

This HSTS helps to prevent man-in-the-middle attacks and other types of insecure access to websites. 

When a domain is enabled for HSTS, the browser will automatically redirect any HTTP request to HTTPS. 

How is this HSTS causing issues with the FortiGate Captive portal: 

• This HSTS error was caused to users who configured captive portal settings with HTTP.
• When the user opens Chrome, by default a connectivity test will be performed in the back end to google.com which is the HSTS site.
• It was noticed recently after the Google Chrome upgrade. 
  
  

The issue can be resolved by enabling secure authentication, as shown below:

MAIN_FW (setting) # show
config user setting
    set auth-cert "Fortinet_Factory"
    set auth-ca-cert "Fortinet_CA_SSL"
    set auth-secure-http enable
end

After the above changes, download the 'Fortinet_CA_SSL' certificate from the FortiGate firewall and install it on all end-users PC.

Workaround:

1. Access any HTTP sites, like example.com, to get the captive portal trigger.
2. Use a non-HSTS site while trying to authenticate for the first time (for example support.fortinet.com). Use Firefox for initial auth. After successful authentication users can use Chrome for internet access.
3. Downgrade the Chrome version to Chrome 126.

Note:

HSTS was implemented on Chrome's recent upgraded version and this is not a FortiGate issue.