Skip to main content
nflnetwork29
nflnetwork29
Explorer III
April 23, 2025
Question

FortiNAC Captive Portal – HSTS/HTTPS Certificate Errors & CNA Not Triggering

  • April 23, 2025
  • 2 replies
  • 1289 views

We’re running FortiNAC 7.6.x (NAC-OS) with a trusted 3RD PARTY SSL certificate assigned to our captive portal. BYOD devices are redirected to the registration portal via VLAN isolation and FortiNAC policies.

However, we are encountering the following issues:

HSTS-enabled HTTPS sites (e.g., chatgpt.com, google.com) throw unskippable certificate errors (ERR_CERT_COMMON_NAME_INVALID) when intercepted before registration.

Windows 11 endpoints are not reliably triggering the Captive Network Assistant (CNA).

 

What we’ve confirmed:
A valid certificate is in place and bound to the portal (port2).

msftconnecttest.com is not in the Allowed Domains list.

DNS and HTTP access to FortiNAC from the Registration VLAN are working.

What we need:
Clear guidance or official best practices to ensure:

Windows CNA detection reliably triggers upon network join

HTTPS/HSTS certificate errors are avoided entirely

Any specific FortiNAC settings required to optimize detection behavior

Looking for any insight into possible misconfiguration, missing detection rules, or additional steps needed to make CNA-based onboarding seamless and secure.

2 replies

ebilcari
Staff
ebilcari
Staff
April 23, 2025

The choice to accept the redirection mostly resides on the host/browser behavior and any hardening technique that may have been applied in the host. Usually the browser should detect the presence of a captive portal and inform the user before proceeding with normal browsing. Default settings in FNAC Portal > Request Processing Rules should work with most of the end host types.

 

Firefox example in Win11:

 

firefox-portal.PNG

 

If the user types just the domain, the redirection should happen only using HTTP. If the link comes from a saved bookmark or browser history (https), the browser still should be able to detect that there is a portal and notify the user.

 

Chrome example in Win11:

new tab.PNG

 After pressing the 'Connect' button a new tab with FNAC portal is open.

Emirjon
    nflnetwork29
    nflnetwork29Author
    Explorer III
    April 23, 2025

    thanks for the reply - we do not see that behavior in Firefox or in chrome. Is there a specific Request Processing Rules in FNAC that can improve compatibility?

    ebilcari
    Staff
    ebilcari
    Staff
    April 24, 2025

    The default values should work well for most host types. If hardening techniques are applied on the end hosts, I don't believe changes on the FNAC side can improve the behavior. The common CNA changes are related to iPhone/iOS and some Android versions.

    Emirjon
    Terms & ConditionsAccessibility statement