Transparent Proxy Kerberos Auth with Captive Portal does not work!

Question

Hi all,I recently configured Transparent Proxy Kerberos Auth (FOS 5.6.4) according to the following link:http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-WAN-opt/web_proxy.htm?cshid=policy_protocol_newedit I also setup a test domain-controller (Win2016) and domain joined test client (win10).When try to access the internet from the test client I see in the browser the redirect to the FG captive portal, configured on port 10443. Unfortunetely the FG does not respond on this port.When running a diagonose debug flow I will get:id=20085 trace_id=190 func=init_ip_session_common line=5470 msg="allocate a new session-00081811" id=20085 trace_id=190 func=vf_ip_route_input_common line=2576 msg="find a route: flag=84000000 gw-192.168.2.1 via root" id=20085 trace_id=190 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"  Somehow the client request to the captive portal will be blocked by the FG local-in policy. When I check the local-in policy I see that TCP/10443 is allowed. What can I do to get more information about this issue on the FG? Kerberos Config: config authentication setting  set captive-portal "tproxy.thrillnet.local"  set captive-portal-port 10443 end config authentication rule  edit "kerberos-auth"  set srcaddr "h_192.168.2.101_winclient"  set ip-based disable  set active-auth-method "kerberos-schema"  set web-auth-cookie enable  next end config authentication scheme  edit "kerberos-schema"  set method negotiate  set negotiate-ntlm disable  next end  config user krb-keytab  edit "http_service"  set principal "HTTP/tproxy.thrillnet.local@THRILLNET.LOCAL"  set ldap-server "WINSRV"  set keytab "BQIAAABGAAIAD1RIUklMTE5FVC5MT0NBTAAESFRUUAAWdHByb3h5LnRocmlsbG5ldC5sb2NhbAAAAAEAAAAAAwABAAgCDqGhcMHLugAAAEYAAgAPVEhSSUxMTkVULkxPQ0FMAARIVFRQABZ0cHJveHkudGhyaWxsbmV0LmxvY2FsAAAAAQAAAAADAAMACAIOoaFwwcu6AAAATgACAA9USFJJTExORVQuTE9DQUwABEhUVFAAFnRwcm94eS50aHJpbGxuZXQubG9jYWwAAAABAAAAAAMAFwAQ0uxS/NKvngOcUQ7y9q572QAAAF4AAgAPVEhSSUxMTkVULkxPQ0FMAARIVFRQABZ0cHJveHkudGhyaWxsbmV0LmxvY2FsAAAAAQAAAAADABIAIHqd+oGNYNcxvx/+hzY3Hc8I/igYt2aNkwnTZgLA36cpAAAATgACAA9USFJJTExORVQuTE9DQUwABEhUVFAAFnRwcm94eS50aHJpbGxuZXQubG9jYWwAAAABAAAAAAMAEQAQtdjtljVfT1zgiYsh3YnxWg=="  next end config user ldap  edit "WINSRV"  set server "192.168.2.100"  set cnid "sAMAccountName"  set dn "cn=users,dc=thrillnet,dc=local"  set type regular  set username "cn=Administrator,cn=users,dc=thrillnet,dc=local"  set password ENC   next end Proxy-Config: onfig firewall proxy-policy  edit 1  set uuid aa1adc5e-5a0c-51e8-a320-8d50a120593b  set proxy transparent-web  set srcintf "ThrillNet"  set dstintf "wan1"  set srcaddr "h_192.168.2.101_winclient"  set dstaddr "all"  set service "webproxy"  set action accept  set schedule "always"  set groups "grp_webusers"  set transparent enable  set utm-status enable  set av-profile "my-av-scan"  set profile-protocol-options "tproxy"  set ssl-ssh-profile "certificate-inspection"  next end Firewall Policy:edit 13  set name "tproxy"  set uuid 581d3556-5a06-51e8-5a72-d99af9dab0ce  set srcintf "ThrillNet"  set dstintf "wan1"  set srcaddr "h_192.168.2.101_winclient"  set dstaddr "all"  set action accept  set schedule "always"  set service "HTTP" "HTTPS"  set utm-status enable  set av-profile "my-av-scan"  set profile-protocol-options "tproxy"  set ssl-ssh-profile "certificate-inspection"  set nat enable  next config firewall profile-protocol-options  edit "tproxy"  config http  set ports 80 8080  unset options  set http-policy enable  unset post-lang  end  Thanks a lot for any feedback.RegardsThrillseeker

Fishbone_FTNT · Answer

Hi Thrillseeker,there are 2 things worth to check:1/ you need to enable wad kerberos captive portal on interface, ie:config system interface    edit port2        set proxy-captive-portal enable    nextend2/ check if tcp/10443 doesn't somehow collide with sslvpn Regards, Fishbone)(

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded