Skip to main content
rzanella
rzanella
Explorer
November 5, 2024
Solved

Certificate error message when device is redirect to Captive portal

  • November 5, 2024
  • 1 reply
  • 2081 views

I managed to manually install on a PC to test the Persistent Agent. Now I can register the PC but I still have a problem: when I open the browser I get the message that I have to register. Before reaching the registration page I am informed that the connection is not secure. (NET::ERR_CERT_AUTHORITY_INVALID).

Once I accept the risk I can register. For authentication I use the domain user.
I also find log messages in the Persistent Agent logs:

2024-10-28 09:59:17 UTC :: peer CommonName = bradfordnetworks.com
2024-10-28 09:59:17 UTC :: Checking Peer name fortinac.mydomain.com against Common or Subject-alternative-name entry bradfordnetworks.com
2024-10-28 09:59:17 UTC :: Peer name "fortinac.mydomain.com" doesn't match "bradfordnetworks.com"
2024-10-28 09:59:17 UTC :: Refusing to connect to trust_DISTRUSTED fortinac.it-present.com|bradfordnetworks.com|09:6e:cf:15:bd:ea:b9:1e:26:21:75:d5:86:9a:8e:37:15:f5:d4:a9
2024-10-28 09:59:17 UTC :: Connection failed! 1


I installed the certificates as trusted.

I searched the documentation but was unable to resolve the issue.

 

Thanks in advance.

Best answer by scitlak

Hi,

 

You may use the same certificate for all of them or you may generate different certificates for each of them. 

Especially for the portal, if you would like to guest registration, it would be better to have a publicly signed certificate. As I mentioned, you may use the same certificate for all of them.

 

BRs

 

 

 

1 reply

scitlak
Staff
scitlak
Staff
November 5, 2024

Hello,

 

You probably use the default TLS certificate for your Persistent Agent in FortiNAC.

 

According to logs, PA tries to establish an SSL/TLS handshake with your FortiNAC but it fails since the FQDN is not in the CN or SAN of your Certificate.

 

Your FortiNAC FQDN should be in the Certificate`s SAN or CN. (in your case fortinac.mydomain.com).

 

You need to create a certificate for your FortiNAC persistent Agent with the appropriate CN or SAN.

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-How-to-generate-and-install-SSL-certificates/ta-p/191642
05.11.2024_13.36.33_REC.png

 

BRs

 

 

 

rzanella
rzanellaAuthor
Explorer
November 5, 2024

Hello,

My IT colleagues provided me with certificates (file extension: p7b) which I successfully imported into Trusted Certificates.
I thought that was enough.

 

Do I therefore have to have 3 certificates generated? 1 for Persistent Agent, 1 for Admin UI and 1 for portal?

scitlak
Staff
scitlakAnswer
Staff
November 5, 2024

Hi,

 

You may use the same certificate for all of them or you may generate different certificates for each of them. 

Especially for the portal, if you would like to guest registration, it would be better to have a publicly signed certificate. As I mentioned, you may use the same certificate for all of them.

 

BRs

 

 

 

    Terms & ConditionsAccessibility statement