Explorer

Solved

FortiAuthenticator Guest Captive Portal Cannot be reached from Client

Forum|Forum|10 months ago
July 9, 2025
9 replies
10235 views

Had this working briefly, but somehow , something has changed in the environment, I have followed:

https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/578250/fortiauthenticator-as-a-wireless-guest-portal-for-fortigate

A few tweaks here and there, but essentially, the Client connects to the OPEN ssid, the interface uses system DNS to look up the address of the external portal., then should be able to access the captive portal, this part is completely broken, no traffic arrives at the FAC, meaning the client just cant resolve the FQDN (it used too!) I checked the clients ipconfig, and it gets the right DHCP IP, gateway (Fortigate wifi interface) and correct DNS (it picks up public DNS, but there are DNS-DATABASE entries for the FAC)

there is an EXEMPT captive portal rule, from the GUEST source network, to the FAC on HTTPS, so that it can use the form to register, before browsing. there are no hits on this rule. I have tried everything now, I just dont know what is missing, I tried using interface DNS, system DNS on the WIFI interface, the SSID is correct , open with external captive portal.. the FAC is working as the other WIFI is working as well as SSL VPN users.. any suggestions would be great.

Best answer by Markus_M

I literally didn't see this in the first posts, but your auth-type is wrong for this use case.

I reproduced your problem in my lab with auth-type = https only. Default includes http and telnet+ftp. You may include http at least here, which leads to triggering the captive portal with HTTP plaintext.

config user setting

set auth-type http https
end
I can add http and my traffic gets redirected, I can remove http and my captive portal detection stops and times out on the detection page.

The setting itself means which protocols will be blocked and redirected by the FortiGate.

Good luck!

Best regards,

Markus

kolebmo1

New Member

I can answer the part about "SSL deep inspection using an already trusted CA certificate" and the answer no. To do SSL deep inspection you need the private key that a CA uses to prove it is not being impersonated and that being publicly available makes it no longer trustworthy.

JasysAuthor

Explorer

That has nothing to do with my question? Have you answered in the wrong post?

funkylicious

SuperUser

hi,

i would enable dns server listening on the ssid, where you have an entry for the captive portal hostname.

in the dhcp settings set to use the interface ip and then it should work.

make sure that you also have the fw rule from ssid intf to fac.

https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/960561/fortigate-dns-server

"jack of all trades, master of none"

JasysAuthor

Explorer

Hi There, Many thanks for replying, I have enabled DNS service on the SSID interface, this has an entry for the FAC, as its a public signed FQDN (there is an entry for 192.168.100.1 > https://myfac.mydomain.com) and that address is assigned as the captive portal. the guest joins the open network,. getting the correct DHCP address, and the correct interface gateway and the same DNS as the interface. but the portal is never triggered, you can browse to a website and it still isnt triggered, just says this page is insecure with no option to override.

I am at a loss as to what has broken!

funkylicious

SuperUser

hi,

can you please share the configuration of the ssid, fw rules for this ssid and auth portal settings ( show firewall auth-portal / show user setting ) on the FGT ?

i assume that you went through all the steps described in the article above for the other settings, especially the settings on FAC side.

"jack of all trades, master of none"

Markus_M

Staff & Editor

Hey,

I recommend going through this article. It is basically a step-by-step of what must happen for the captive portal to work fine.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-General-captive-portal-explanation-flow-and/ta-p/355925
If a step isn't happening, that tells you where to look.
In your case - a client must, regardless of captive portal, be able to access the FortiAuthenticator FQDN, without certificate warnings. That'd be in the article step 8.

The FortiGate must have an exemption for the client to reach the FortiAuthenticator IP. Exempt either with policy or with the SSID itself (it has the option for exempt destinations).

Do a packet capture towards the client IP or on the client and see what DNS and HTTP traffic does and follow the articles steps.

In very short:
There must be some DNS query for one of those captive portal detection pages, then tcp handshake, HTTP GET. FortiGate must block/answer it with its own URL resolving to its own interface. Cycle repeats but FortiGate answers with the FortiAuthenticator URL ... and cycle repeats (DNS for FAC FQDN, TCP handshake, HTTP(S)). If there is another portal behind FortiAuthenticator, i.e. social login or even SAML IdP - then add another of those cycles (DNS, TCP, HTTP).

In any case, the client must be able to reach ALL captive portal instances without the need to authenticate first to reach the instance to authenticate to! That'd be a catch 22, so the authentication targets must be exempted.

Best regards,

Markus

JasysAuthor

Explorer

Thankyou Markus., I just added some config above, there is absolutely an exempt policy to reach the FAC (DNS, HTTPS) the FQDN of the portal is added as a DNS Database entry, that the SSID interface has DNS Interface Service enabled.

Markus_M

Staff & Editor

You want to then check exactly what happens when a client wants to browse the FortiAuthenticator. Check against FQDN and IP, just in case. What is the browsers complaint about it?

I would also refrain from adding the group on both the interface and the policy. Go for the interface and remove the group from the policy. It can only match anyway if the interface allows the group after authentication.

JasysAuthor

Explorer

if they browse direct to the FortiAuthenticator , they get the Fortinet 403 Forbidden page, which is what I would expect. as the request needs to be intercepted by the gate. they get the correct DHCP, gateway and DNS of the interface, so all that is correct, if they browse to a page on the internet, they get "your connection is not private"

Markus_M

Staff & Editor

So the exempt policy works fine then.

Browsing an internet page will likely fail because captive portal is in place. From that article step 1 needs to happen which is plainly that the client must(!) try reaching some HTTP page unencrypted which will trigger the redirect to FortiGate. You can always test that with browsing one manually, packet capture and see how it behaves. http://detectportal.firefox.com is one of those pages. Browse it manually to start at step 1 and check whether the rest would work. If it does, you need to see why the client seems to not do this automatically, ending up asking the user to "you must login to use this network".

Have you also removed the group from the policy (this will cause issues)?

JasysAuthor

Explorer

if I remove the group, it will let people browse unauthenticated, or are you saying, its enough to have it in the SSID setting? Ill remove it and test then

Markus_M

Staff & Editor

Hey,

it is enough to keep the group on the SSID OR the policy. Both can trigger a captive portal on their own. Keeping however both may conflict with each other. Your config otherwise looks fine. There are common mistakes to have config firewall auth-portal contain the FortiAuthenticator FQDN, which however I don't read from your config bits, the rest seems also OK.

Best regards,

Markus

JasysAuthor

Explorer

Hi Markus,

config firewall auth-portal
set portal-addr "guest.auth.mypublicdomain.com"
end

this is the firewall FQDN, that resolves to the WIFI interface, so it is there, the External portal (FAC) has a DNS-Database also :)

ill get it tested again today, but I am not hopeful!

funkylicious

SuperUser

dumb question from my part, but have you enabled on FAC on the interface Captive Portals under Services for it ?

"jack of all trades, master of none"

Markus_M

Staff & Editor

config firewall auth-portal
set portal-addr "guest.auth.mypublicdomain.com"
end
is required to be the FortiGate, although not intuitive. It affects only redirect #1, that is the articles step 3). And yes, I place a lot of value on that article :)

When you test (and the group is removed from the policy), get a packet capture from the client that contains DNS AND port 443+1003.

diag sniffer packet any 'host <client IP>' 6 0 a

will usually do.

JasysAuthor

Explorer

Yes, thats on the Fortigate, always has been. Did some further testing , have removed the Group from the policy. client connects, gets an IP, and can ping the FQDN of the FAC, so this proves the interface DNS is working. Still no portal, installed Firefox when to the portal address http://detectportal.firefox.com and it times out. if the client browses to the portal address, they get the 403 Forbidden error. I am now completely confused as to what is wrong :( I did a diag sniffer packet,on the client address, it shows the ping to the FAC and the failed HTTPS to the portal address, nothing else

Markus_M

Staff & Editor

The problem will then be why the HTTP page times out. FortiGate has to block it and answer it. The rest should work. Why would your packet capture however not show http://detectportal ... that is port 80 and unless you filtered it out, should be visible, all the same.

The "timeout" message on browser means that the client tried reaching it but didn't receive a response from anywhere. If not in your capture, where does the client send its requests?

It would fit the logic if the client tries to reach the page via another interface. If it doesn't try to reach the page via FortiGate, FortiGate cannot redirect anything. In my beloved article, step2 would be going wrong. So check from the PCAP what the page detectportal.firefox.com resolves to, with the DNS response. From that client, ping that resolved address. Do you see the ping on the FortiGate?

Markus_M

Staff & Editor

The web filter will indeed only take place at a policy hit. You can take out all UTM, just in case.

Basically DNS should resolve some address that the client will try to reach via HTTP. That part seems to not even work, so FortiGate cannot redirect (traffic that it doesn't see). You want to test that ping as mentioned and routing table for oddities, like a default route that specifies only the internal network for example.

Likewise, another client is also worth testing. If traffic doesn't reach FortiGate for some odd reason, it is quite unlikely two clients would show the same behavior. If that were true though, you would like to check the DHCP settings on FortiGate as DHCP can push static routes (in "Additional DHCP Options").

JasysAuthor

Explorer

To recap, This behaviour is on all clients trying to connect, I rebooted the FAC over the weekend to see if something was hung or needed a kick, no joy.

In Summary, client connects, gets DHCP, gets interface DNS and is able to "ping" the FQDN of the FAC, so that tells me, DNS is fine.

Portal is not triggerred, if going to a http site, the browser just times out, with page cannot be reached, with a https site, it says "this connection is not private" which is expected,

if they browse to the portal FQDN they get the expected 403 Fortinet forbidden.

am really stumped and lost all hope!

Markus_M

Staff & Editor

Hey, don't lose hope, the community will help!

That beloved KB is important and defines basically what to look at.

If HTTP times out on the client, see what really times out.

The FortiAuthenticator reboot won't help if the client is timing out on the first steps. The KB article is totally linear and if one step fails, all the others after the failure won't take place and are not worth to look at.

Packet capture is the best, in doubt you can share it as well.

See what exactly times out as the browser bar will say. Expected destinations that CAN timeout would only be the HTTP captive portal detection pages, the FortiGate on port 1003 and the FortiAuthenticator and nothing else. The rest is irrelevant but only those three.

JasysAuthor

Explorer

Yes, don't get me wrong, the article is great for the flow, it tells me where its failing, but not what could be wrong or possible fixes. I have done multiple sniffer packets, it just shows syn packets going out on HTTPS to the FAC, when they try and go direct, the web traffic rule doesn't get hit at all, nor does the exempt rule (unless they try the FAC Portal FQDN directly)

Markus_M

Staff & Editor

Something isn't right on this. If the HTTP to outside would time out (and by this I understand steps 1+2), the HTTPS to FortiAuthenticator wouldn't be attempted (steps 8+9). Check again what exactly times out.

If the FortiAuthenticator web portal doesn't react, then the page shouldn't be loaded, as previously tested.

If the TCP handshake is failing and never arrives at FortiAuthenticator, check on FortiGate where the SYN is going in and out (the sniffer 4-6 would tell).
diag sniffer packet any 'host <fac-ip>' 4 0 a

If the SYN is arriving at FortiAuthenticator, but there is no response, do the same packet capture on FortiAuthenticator:

exec tcpdump -i any host <client-IP>
replace client IP if the FortiGate policy is doing NAT, then of course FortiAuthenticator won't see the client IP.

So for example

This message would mean my FortiAuthenticator isn't responding, which means I have to check how my client and the FortiAuthenticator are actually talking to each other. TCP handshake should be quite visible, but in that error case I'd assume that this isn't the case. That handshake somehow fails ("too long to respond"), because otherwise the error message will be different.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded