Skip to main content
The_Nude_Deer
The_Nude_Deer
Explorer II
January 15, 2025
Question

Captive Portal FortiAuthenticator

  • January 15, 2025
  • 2 replies
  • 3818 views

As per - https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/578250/fortiauthenticator-as-a-wireless-guest-portal-for-fortigate

 

it says at the end "

Configuring firewall authentication portal settings on FortiGate

The following settings are required to avoid certificate and security errors on the client. After the user is authenticated using the external captive portal, the browser redirects briefly to the firewall authentication portal over HTTPS. The browser then redirects the user to the original URL or a specific URL.

The specific URL needs to be configured in the Redirect after Captive Portal option in Create New SSID dialog.

To configure firewall authentication portal address from the CLI:
  1. Enter the following commands to set to the firewall authentication portal address:

    config firewall auth-portal

    set portal-addr <addr> #portal-addr setting must be an FQDN that resolves to the interface IP address of the guest SSID. The client must be able to resolve this using the DNS server configured in the DHCP scope.

    end

"

 

This makes no sense?  surely I need a public signed cert for the FAC for a guest to trust the portal?

2 replies

adambomb1219
SuperUser
adambomb1219
SuperUser
January 15, 2025

This is an OLD cookbook at this point.  I would use a newer version.  

 

Why does this make no sense though?  You do need a public certificate for guest clients.  What exactly is your question?

    The_Nude_Deer
    The_Nude_DeerAuthor
    Explorer II
    January 15, 2025

    There is no other cookbooks or documentation that specified this, I just assumed it was some sort of tunnelled http header as the FAC is trusted, My question you have more or less answered, I am guessing I need to create a CSR on the FAC, then get it signed by a public CA then import onto the FAC yes and select it as the https cert.

     

    The article above, mentions setting a portal on the Fortigate, why would I do that when its the FAC that hosts the portal?

    adambomb1219
    SuperUser
    adambomb1219
    SuperUser
    January 16, 2025

    Because the webpage on FAC tells the client to post the credentials directly to the FGT.  They are not posted to the FAC.  I personally do not like the way FAC does this.  I much prefer the way Cisco ISE handles captive portals.  Aruba ClearPass also behaves the same way as FAC.

      ebilcari
      Staff
      ebilcari
      Staff
      January 15, 2025

      As also shown in the workflow of the portal, there are two web pages that are presented to the end host. The FGT portal page is not usually visible because the redirection happens fast but in case there is a certificate issue the browser will complain. The end host should be able to validate both domains used in FGT and FAC captive portal pages.

      portal-page.PNG

      Emirjon
        The_Nude_Deer
        The_Nude_DeerAuthor
        Explorer II
        January 15, 2025

        so that means buying 2 extra public signed certs ?

        adambomb1219
        SuperUser
        adambomb1219
        SuperUser
        January 16, 2025

        Yes.  Or a multi-SAN certificate.

          Terms & ConditionsAccessibility statement