Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
kiri
Staff
Staff

Created on ‎05-21-2025 03:06 AM Edited on ‎07-15-2025 01:48 AM By Community Manager

Article Id 392870

Technical Tip: FortiAuthenticator upgrade to v6.6.3 GA breaks some captive portal deployments

Description

This article describes how to resolve the captive portal issues affecting FortiAuthenticator v6.6.3 GA.
Scope FortiAuthenticator v6.6.3 GA.
Solution

A working captive portal setup in 6.6.2 GA and older might break with the upgrade to v6.6.3 GA.

The error given to the end user is: 'Please enter correct credentials.'.

The FortiAuthenticator admin will find the following corresponding errors.

 

Log example: 

 

Authentication failed, NAS is not allowed for authentication

 

RADIUS debug example:

 

(0) facauth: ERROR: Invalid client_address format: fortigate.local
(0) facauth: ERROR: The AP of portal policy 11 does not contain client fortigate.local
(0) facauth: Updated auth log 'fortinet' for attempt from fortigate.local: user authentication error: NAS not allowed for authentication

 

The requirement for this to continue working is to upgrade to the special built or to at least v6.6.4 GA and:

  1. Have an AP configured as IP/FQDN, not as a range, nor as a subnet.

 

ap.png

 

Or:

 

  1. If the AP is configured as a range or subnet, the DNS FortiAuthenticator is using must have an entry for fortigate.local (resolving to the IP address of the FortiGate interface/WIFI where the captive portal is enabled).

 

For example:

 

range.png

 

> exe nslookup fortigate.local
Server: 127.0.0.1
Address: 127.0.0.1:53

Name: fortigate.local
Address: 10.25.25.1
>

 

An upgrade alone to v6.6.4 GA or higher will not fix this issue. One of the aforementioned requirements must also be met.

 

Note:

If the portal still does not work after upgrading to v6.6.4, the admin checks the logs and finds the message 'Error resolving FQDN: fortigate.local-Validation result: no match'. 

This error occurs when the FQDN cannot be resolved to an IP address. To avoid this error, the configured DNS on FortiAuthenticator must be able to resolve the FQDN to an IP address.

 

AZR-FAC-01 radiusd[11792]: (5327) facauth: WARNING: Failed to resolve FQDN: fortigate.local, do matching as it is.
AZR-FAC-01 radiusd[11792]: (5327) facauth: Processing AP All (0.0.0.0~255.255.255.255)
AZR-FAC-01 radiusd[11792]: (5327) facauth: Validation result: not matched

 

This error occurs when the FQDN cannot be resolved to an IP address. To avoid this error, the configured DNS on FortiAuthenticator must be able to resolve the FQDN to an IP address.

 

414
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.