New Member

Solved

SSL Certificate Issue when using HTTPS redirect on Captive portal

Forum|Forum|11 years ago
October 1, 2014
7 replies
49058 views

Hi All, I have userbased identity policies using captive portals. I have port 3, port 4 and a VLAN using different portals. These all work fine until I switch it to HTTPS redirect in Authentication then the captive portal throws up a certificate warning. I have run; config vdom edit root config firewall policy edit 16 set auth-redirect-addr test.test.co.uk (not the real address) set auth cert mycert end There is a dns entry on the local DC to point test.test.co.uk to the interface of port 3 (example) Now.... when you turn on HTTPS redirect and try and login you get a warning and invalid cert because the FW goes to xxx.xxx.208.1:1003/FGTAUTH? (lot of numbers) Any ideas anyone.

Best answer by Brady_Owen

f the browser shows a hostname like Some.Authpage.com/FGTAUTH? then you match need to match the text.

Adrian, I have changed the captive portal address via CLI to use an address which matches the wildcard cert *.xxx Then on the local DNS put an entry in for this to point to the interface IP. This should then work. When you say what is the exact error, the error is a certificate error.

Jeff_FTNT

Staff

You may import " Fortinet_CA" CA certificate ( Locate at FGT GUI:System->Certificates->CA certificates) to your browser as trust CA certificate, it will not have warning .

Brady_OwenAuthor

New Member

This is a third party certificate, the Cert and Ca have been loaded already.

Brady_OwenAuthor

New Member

Being a godaddy cert and CA I wouldn' t need to import the CA

Adrian_Buckley_FTNT

Staff

What EXACTLY is the error? I' m guessing it' s saying the cert is not valid for the location your visiting. A cert is considered valid for a location by the browser for a location that i) matches the CA ii) matches an entry in the ' alternative name' Since your browser is going to a.b.c.d/FGTAUTH? then the CA needs to match that IP address, or that IP needs to be included in the alternative name. If the browser shows a hostname like Some.Authpage.com/FGTAUTH? then you match need to match the text. Certificates support wildcards so you could do *.authpage.com, or something like that. I' ve never seen wildcards used with IPs.

Brady_OwenAuthorAnswer

New Member

f the browser shows a hostname like Some.Authpage.com/FGTAUTH? then you match need to match the text.

Adrian, I have changed the captive portal address via CLI to use an address which matches the wildcard cert *.xxx Then on the local DNS put an entry in for this to point to the interface IP. This should then work. When you say what is the exact error, the error is a certificate error.

newNetwork

New Member

I am facing this issue, I have a COMODO CA public cert for authpage.mydomain.com and this dns points to Lan IP of fortigate. When i try to access https://google.com for the first time from an unauthenticated client, it redirects and throws a warning and i guess in google chrome it refuses to proceed.

One of the work around as i can understand is to use wildcard certificate for mydomain.com instead of authpage.mydomain.com. will this prevent the warning or it is not going to help?

any other workaround?

what if i want to force the user to a specific http site for the first time in the day , http sites go through the auth page without any warning. once the user is authenticated , he can go to any site.

NSGuru

New Member

Hi All,

I know this issue happened a while back. But I recently ran into the same thing and wanted to let you know how i resolved this.

1.You will first need to have a trusted SSL Certificate.

Gather this certificate and install it to the Fortigate.

System > Certificates > Upload Local and then CA Certificate.

2. added DNS entry to server that will point to the Fortigate and the SSL certificate install example disclaimer.mydomain.com

For a quick test to confirm the certificate is working properly you can change the admin-cert to the trusted cert you installed by going to. System > Administrators > Settings > Change Certificate to your specified Cert name.

Now on a pc local to the domain go to the dns entry you added. You should now be able to reach the firewall without getting an untrusted page.

The next steps you will be following are all inside the Fortigate.

3. Open up the CLI of the fortigate and run

config firewall policy

edit 9 (this number represents the policy ID you will be using to redirect users to a disclaimer for authentication)

set auth-redirect-addr disclaimer.mydomain.com

set auth-cert (your specified cert name)

end

**** If you have multiple policies setup for disclaimer I would recommend running those commands for each Policy ID****

4. Open up the GUI of the fortigate and browse to

User and Device > Authentication > Settings > Certificate (Your specified cert name)

You should now be complete. Test and you should see that your PC redirects to the address you had chosen and has the trusted certificate as well.

Hope this helps.

boneyard

Valued Contributor

@NSGuru thanks for the explanation.

if you say Test at the end. how do you test? if you test with for example https://www.google.com do you then get it to work without certificate warnings?

NSGuru

New Member

Total Posts : 1Scores: 0Reward points: 0Joined: 8/3/2016Status: offline[/ul]

Re: SSL Certificate Issue when using HTTPS redirect on Captive portal Thursday, August 04, 2016 5:14 AM (permalink) 0 Hi All, I know this issue happened a while back. But I recently ran into the same thing and wanted to let you know how i resolved this. 1.You will first need to have a trusted SSL Certificate. Gather this certificate and install it to the Fortigate. System > Certificates > Upload Local and then CA Certificate. 2. added DNS entry to server that will point to the Fortigate and the SSL certificate install example disclaimer.mydomain.com For a quick test to confirm the certificate is working properly you can change the admin-cert to the trusted cert you installed by going to. System > Administrators > Settings > Change Certificate to your specified Cert name. Now on a pc local to the domain go to the dns entry you added. You should now be able to reach the firewall without getting an untrusted page. The next steps you will be following are all inside the Fortigate. 3. Open up the CLI of the fortigate and run config firewall policy edit 9 (this number represents the policy ID you will be using to redirect users to a disclaimer for authentication) set auth-redirect-addr disclaimer.mydomain.com set auth-cert (your specified cert name) end **** If you have multiple policies setup for disclaimer I would recommend running those commands for each Policy ID**** 4. Open up the GUI of the fortigate and browse to User and Device > Authentication > Settings > Certificate (Your specified cert name) You should now be complete. Test and you should see that your PC redirects to the address you had chosen and has the trusted certificate as well. Hope this helps. Helpful Report Abuse Forward Quote #8 boneyard

Quick Reply: (Open Full Version) Paragraph Font Family Font Size

Path: p Preview

Submit Post Home » All Forums » [link=https://forum.fortinet.com/tt.aspx?forumid=119][Other FortiGate and FortiOS Topics][/link] » User and Authentication » SSL Certificate Issue when using HTTPS redirect on Captive portal

Jump to: Jump to - - - - - - - - - - [FortiGate / FortiOS UTM features] - - - - AntiVirus - - - - Application Control - - - - Data Leak Prevention (DLP) - - - - Email filtering (AntiSPAM) - - - - Former Content Management Forum - - - - Intrusion Detection & Prevention - - - - Web Filtering [Fortinet Beta Programs] - - - - Beta Message Board [Fortinet Services] - - - - FortiCloud IOC [Other FortiGate and FortiOS Topics] - - - - Firewall - - - - Log & Report - - - - Miscellaneous -- FortiOS and FortiGate - - - - New Features -- FortiOS - - - - Routing and Transparent Mode - - - - System settings - - - - User and Authentication - - - - VPN [Other Fortinet Products] - - - - AscenLink - - - - Coyote Point - - - - FortiADC - - - - FortiAnalyzer - - - - FortiAP - - - - FortiAuthenticator - - - - FortiBalancer - - - - FortiBridge - - - - FortiCache - - - - FortiCamera & FortiRecorder - - - - FortiCarrier - - - - FortiCASB - - - - FortiClient - - - - FortiCloud - - - - FortiConnect - - - - FortiController - - - - FortiConverter - - - - FortiCore - - - - FortiDB - - - - FortiDDOS - - - - FortiDirector - - - - FortiDNS - - - - FortiExplorer - - - - FortiExtender - - - - FortiFone - - - - FortiGuard - - - - FortiHypervisor - - - - FortiMail - - - - FortiManager - - - - FortiMonitor - - - - FortiNAC - - - - Fortinet Security Fabric - - - - FortiPlanner - - - - FortiPortal - - - - FortiPresence - - - - FortiProxy - - - - FortiRPS - - - - FortiSandbox - - - - FortiScan - - - - FortiSIEM - - - - FortiSwitch - - - - FortiTester - - - - FortiToken - - - - FortiTap - - - - FortiVoice - - - - FortiWAN - - - - FortiWeb - - - - FortiWiFi - - - - Wireless Infrastructure (FortiWLC, FortiWLM, Meru) [Forum Information & Miscellaneous Topics] - - - - Forum News - - - - Ideas for Forum Site - - - - Fortinet Cookbook - - - - Knowledge Base - - - - Technical -- non-FortiOS - - - - Miscellaneous -- non-technical © 2018 APG vNext Commercial Version 5.5 Latest Posts Re: 30E - Streaming by Bose SoundTouch stucks every 10-15 Minutes

Fortimanager API /sys/login/user

[link=https://forum.fortinet.com/FindPost/167880/]Re: Cannot sync VPN CA certificate from FMG to FGT [FIXED][/link]

30E - Streaming by Bose SoundTouch stucks every 10-15 Minutes

Re: Fortigate SSL VPN disconnects between 2-5 minutes suddenly

[link=https://forum.fortinet.com/FindPost/167877/]Re: Cannot sync VPN CA certificate from FMG to FGT [FIXED][/link]

IPsec VPN Connection Failure

Re: Only "Super_User" profile has access to reports?

[/ul] Active Posts [link=https://forum.fortinet.com/tm.aspx?m=143211]Cannot sync VPN CA certificate from FMG to FGT [FIXED][/link]

Fortigate SSL VPN disconnects between 2-5 minutes suddenly

Forticlient iPad - Browsing Files

Port Forwarding on secondary Firewall

30E site-to-site VPN - slow, randomly erratic bandwidth