Skip to main content
Jasys
Jasys
Explorer
September 26, 2025
Question

Apple Devices with Captive Portal

  • September 26, 2025
  • 3 replies
  • 7447 views

Having had quite a few issues, there is one annoying one that is remaining, I have a Fortigate running an SSID using the FAC as the Portal for registration etc, which is working fine on Android, Laptops etc. but any apple device when selecting the SSID redirects to the "captive.apple.com" page on the phones and displays the message "Hotspot login, cannot open the page, the server cannot be found"

 

if the user browses to this captive address you do get the "success" message. Im raising this here as there are a few articles that tell you , on the Fortigate to "exempt" captive.apple.com from the SSID, which I have done. this article: Captive Portal on Apple devices - Fortinet Community doesnt do anything, is anyone able to offer some assistance? is this because the iphone has cellular data turned on or related setting?

thanks

3 replies

Markus_M
Staff & Editor
Markus_M
Staff & Editor
September 26, 2025

Do you have a screenshot etc? The message "server cannot be found" sounds like a DNS error. What is the "captive address" that gives you the success page?

The cellular data CAN be a problem IF the device is able to contact the captive portal detection pages outside the FortiGate network through its "live" WAN connection.

You can simply run a sniffer on FortiGate towards the client IP and see if the IPs would match the captive portal detection page. This is a bit of a pain, but will give you the right answer for that question.

    Jasys
    JasysAuthor
    Explorer
    September 26, 2025

    Yes, I think to start with it was DNS related, the DHCP of the WIFI interface was set to use "system DNS" it should have been "interface DNS" as I have recursive DNS to look up the IP of the FAC etc,  so the error message has now gone,  What happens now , is a pop up (looks like a web pop up) appears VERY quickly then closes without being able to see what it was, and the phone goes back to the WIFI list, it does this on multiple phones.

     

    So the original error, seems to have been resolved, but now its this.. I JUST wish everything would work as it should :D 

    Markus_M
    Staff & Editor
    Markus_M
    Staff & Editor
    September 26, 2025

    Packet capture will tell you most of what is going on. I'm sure you remember my rambling about a certain article with steps of what is supposed to happen and when. These steps all reflect in a packet capture and indicate where to search.

      martijndhondt
      martijndhondt
      Explorer
      October 6, 2025

      Did you use Tunnel mode for the SSID? I had more success with the tunnel-mode.
      Also, policy from guest-range to DNS-server to allow resolving and HTTPs to the FortiAuth.
      I also used a wildcard-cert on my FortiGate for authentication and set the following:

      config firewall auth-portal     set portal-addr "guestportal.xxxx.com" end  config user setting     set auth-type http https     set auth-cert "star-xxxx-com"     set auth-secure-http enable end

       I also exempted the destination of the firewall auth-portal (see above) and the DNS-servers on my SSID as well as the IP of the FortiAuth.

      Jasys
      JasysAuthor
      Explorer
      October 7, 2025

      Hi, yes, all of this is correct, it all works, tested for myself today, Android, Google Phone, Windows Laptop, all trust and display the portal registration.  This is only happening on Apple phones, and its getting so annoying, I cant find anything on Fortinet or Apple communities, Certs are valid and trusted chain is installed. The FAC has a DNS entry on the gate which resolves correctly. its only apple devices that fail, so I kind of know the FAC and GATE are setup correctly, thank you for your comments though :)

       

      is your set auth-ca-cert set to anything? wonder if that would help?

      Markus_M
      Staff & Editor
      Markus_M
      Staff & Editor
      October 12, 2025

      You must define where the error comes from.

      - If the certificate error appears from the FortiAuthenticator, when FortiAuthenticator is giving the certificate, that must be looked at. Can the client device browse the FortiAuthenticator directly (with the address that FortiGate would otherwise instruct the client to use for FortiAuthenticator).

      - If the error comes from FortiAuthenticator, ANY setting on FortiGate, outside the redirect fqdn is irrelevant. The "auth-ca-cert" can be ignored (and every other setting as well). The captive portal works sequential, so if there is an issue at the FortiAuthenticator, with presenting its certificate, the previous steps will all be correct.

       

      Can you browse the FortiAuthenticator from the client side? It mustn't give an untrusted certificate warning.

      Do you have a screenshot of the warning?

        martijndhondt
        martijndhondt
        Explorer
        October 8, 2025

        We have nothing on that setting.

        Terms & ConditionsAccessibility statement