Skip to main content
marcello
marcello
Explorer
June 14, 2022
Solved

auth-portal from different interfaces

  • June 14, 2022
  • 2 replies
  • 3216 views

Hi,

I have configured the captive portal on two different wired interfaces and everything works fine.
INT1 - 192.168.1.1 - LAN 192.168.1.0/24
INT2 - 192.168.2.1 - LAN 192.168.2.0/24
To eliminate the invalid certificate warning on the login page I uploaded the certificate and specified the portal-addr fqdn which is resolved with the firewal ip on INT1.
auth.domain.local -> 192.168.1.1
Being able to specify only one portal-addr, how can I reach it from clients that were on the other network 192.168.2.0/24?
I tried to create a policy but I can't reach the local IP 192.168.1.1 from the 192.168.2.0/24 network.

Can you give me a suggestion or analternative?

 

Thank you.

Best answer by GDiFi

When you say you created a policy are you talking about a firewall policy?  If so, you will probably need to edit INT2 interface and under the captive portal add 192.168.1.1 as an exempt destination so they will be allowed to access that IP prior to authenticating.

2 replies

GDiFi
Staff
GDiFiAnswer
Staff
June 14, 2022

When you say you created a policy are you talking about a firewall policy?  If so, you will probably need to edit INT2 interface and under the captive portal add 192.168.1.1 as an exempt destination so they will be allowed to access that IP prior to authenticating.

    marcello
    marcelloAuthor
    Explorer
    June 17, 2022

    Thank you for answer.

    After adding the exemption all works fine.

     

     

    seshuganesh
    Staff
    seshuganesh
    Staff
    June 15, 2022

    Hi Team,

     

    To eliminate the invalid certificate warning on the login page I uploaded the certificate and specified the portal-addr fqdn which is resolved with the firewal ip on INT1.
    auth.domain.local -> 192.168.1.1

     

    I believe you have configured this setting globallly under "config firewall auth-portal"
    Can you configure per policy:

     edit <policyID>

      set auth-redirect-addr portal.example.org

     end

     

    Also, you need to use two different domain because LAN IP for both networks is different.

    Please test it and give us update.

    marcello
    marcelloAuthor
    Explorer
    June 17, 2022
    Thanks for the reply.
    I can't find the "auth-redirect-addr" option.
    I have FortiOS 7. From the cli reference guide it seems to exist, but when I try to set it I have a command fail error. It is possible that I have to enable something before?
    Terms & ConditionsAccessibility statement