Explorer III

Solved

After authentication a fortigate page appears

Forum|Forum|4 years ago
February 4, 2022
4 replies
20705 views

Hello everyone,
When a guest user authenticates via the captive portal, a FortiGate page appears on the browser with the address ---> http://192.168.x.x:1000/fgtauth
By pressing the "Send anyway" button you can navigate correctly.

How is it possible to remove this page?

Browser: Chrome
Captive Portal: FortiAuthenticator v6.1.2, build0420 (GA)

Thanks
Andrea

Best answer by ac1

There were 3 different problems. I had to:

set the Authentication Settings with wildcard public certificate and redirects
create an A record on the DNS Server with the IP of the FortiGate guest interface
create on FortiAuthenticator an AP with fqdn of the fortigate, not the ip or others
correct the radius authentication, removing the membership group from the FortiGate.

Now everything is working correctly.
guest user registration -> sending mail to the sponsor -> guest user authorization by the sponsor -> credentials arrive to the guest user -> guest user login -> navigation without error pages.

I have become an expert on this subject. if you need write me and I will be happy to help.

lmarinovic

Staff

Hello Andrea,

You can check this KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-secure-authentication-HTTPS-on-a-FortiGate/ta-p/192486

Look at the part after 2nd point.

"Reminder: The HTTPS redirect function and port can be configured from the following CLI commands:

#config user setting
set auth-secure-http enable (default = disable)"

Try to configure secure https on FortiGate. If on the other hand you get certificate warning, you can take a look at the next part about certificates and how to workstation needs to trust the website.

Best regards,

Lazar Marinovic

lmarinovic

Staff

Also you can crosscheck Security Mode Settings and Authentication under interface settings. Did you put portal type to Authentication and External Authentication portal and then FAC address.

And also did you did the "set captive-portal-exempt enable" on policy?

Take a look at this KB if you didn't:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-Captive-Portal-Exemption-on/ta-p/192275

Best regards,

Lazar Marinovic

ac1Author

Explorer III

Hi Lazar,

this is my configuration:

config system interface       edit "GUEST"         set vdom "root"         set ip 192.168.1.1 255.255.255.0         set allowaccess ping         set alias "200"         set security-mode captive-portal         set security-external-web "https://guestportal.guest.com/portal/"         set security-redirect-url "https://www.google.com/"         set security-exempt-list "GUEST-exempt-list"         set security-groups "RADIUS-Guest"         set device-identification enable         set snmp-index 48         set interface "port6"         set vlanid 200     next end  config firewall policy     edit 400         set name "Guest_to_FortiAuthenticator"         set srcintf "GUEST"         set dstintf "LAN-FortiAuthenticator"         set srcaddr "LAN-GUEST"         set dstaddr "SRV-FortiAuthenticator"         set action accept         set schedule "always"         set service "HTTPS" "ALL_ICMP" "HTTP"         set logtraffic all         set captive-portal-exempt enable     next end

After the user has successfully authenticated to the captive portal of the FortiAuthenticator, a web page appears with the IP of the FortiGate (with the IP of the Guest):

sorry for the bad resolution!

If the user clicks on "Send anyway" the google page appears and the navigation works.

Thanks

Andrea

ac1Author

Explorer III

Hi Lazar,

this is my configuration:

config system interface       edit "GUEST"         set vdom "root"         set ip 192.168.1.1 255.255.255.0         set allowaccess ping         set alias "200"         set security-mode captive-portal         set security-external-web "https://guestportal.guest.com/portal/"         set security-redirect-url "https://www.google.com/"         set security-exempt-list "GUEST-exempt-list"         set security-groups "RADIUS-Guest"         set device-identification enable         set snmp-index 48         set interface "port6"         set vlanid 200     next end  config firewall policy     edit 400         set name "Guest_to_FortiAuthenticator"         set srcintf "GUEST"         set dstintf "LAN-FortiAuthenticator"         set srcaddr "LAN-GUEST"         set dstaddr "SRV-FortiAuthenticator"         set action accept         set schedule "always"         set service "HTTPS" "ALL_ICMP" "HTTP"         set logtraffic all         set captive-portal-exempt enable     next end  config user setting     set auth-type http https     set auth-cert "Fortinet_Factory"     set auth-timeout 15 end

The user successfully authenticates to the captive portal on the FortiAuthenticator, but then this page appears:

Sorry for bad resolution.

If the user clicks on "send anyway" the google page appears and the navigation works.

I want to remove this page beacause all the rest of configuration works correctly.

Thanks

Andrea

ac1Author

Explorer III

I configured the authentication settings on FortiGate:

config firewall auth-portal     set portal-addr "firewall.mydomain.net" end  config user setting     set auth-type http https     set auth-cert "wildcard_mydomain_net_2023"     set auth-secure-http enable     set auth-timeout 15 end  config system dns-database     edit "mydomain.net"         set domain "mydomain.net"         set authoritative disable         set forwarder "1.1.1.1"          config dns-entry             edit 1                 set hostname "guestportal"                 set ip x.x.x.x             next             edit 2                 set hostname "firewall"                 set ip x.x.x.x             next         end     next end config system dns-server     edit "GUEST"     next end

But now any user fails to authenticate on the portal....

I'm desperate...

The last chace is update the FortiAuthetnticator to version 6.4.1.

ac1

Debbie_FTNT

Staff & Editor

Hey ac1,

Did you set the portal-address in FortiGate recently?

FortiAuthenticator captive portal policies rely on IP or hostname of the FortiGate to match, and if you set a portal address on FortiGate, you have to create/edit an access point in the portal policy on FortiAuthenticator to contain that address, NOT the IP.

Check under https://<FortiAuthenticator>/debug - there should be 'RADIUS Authentication in the drop-down menu'. It will contain requests like 127.0.0.1->127.0.0.1, with NAC_Identifier FAC_GUEST; that's the captive portal authentication bit.

Check if there is an error like 'AP does not match policy x'.

ac1AuthorAnswer

Explorer III

There were 3 different problems. I had to:

set the Authentication Settings with wildcard public certificate and redirects
create an A record on the DNS Server with the IP of the FortiGate guest interface
create on FortiAuthenticator an AP with fqdn of the fortigate, not the ip or others
correct the radius authentication, removing the membership group from the FortiGate.

Now everything is working correctly.
guest user registration -> sending mail to the sponsor -> guest user authorization by the sponsor -> credentials arrive to the guest user -> guest user login -> navigation without error pages.

I have become an expert on this subject. if you need write me and I will be happy to help.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded