| Description |
This article describes that when configuring a FortiGate for Wi-Fi guest access with FortiAuthenticaor as external portal, the end user might see the following message in the browser and asked to authenticate over and over again.
Each selection on 'Open Network Login Page' opens a new tab asking for the same thing.
Also, the page is marked as 'Not Secure': 
|
| Scope | FortiAuthenticator 6.X |
| Solution |
Given that this setup is destined for guest users, the used devices are not managed. The private root CA cannot be pushed out, so the certificate issued by the private CA is trusted.
Therefore, the certificate used for FAC portal must be issued by a trusted CA, so no certificate error is displayed, and user experience is seamless: Make sure FortiAuthenticator has a hostname configured, and the guest can resolve this to an IP.
1) Source a certificate from a public CA, make sure SAN is there, some browsers will show errors if this is missing. It can also be a wildcard certificate.
2) Import cert on the FortiAuthenticator(Cert Management -> Local Service -> Import).
3) Import the root CA and any intermediate CA on the FortiAuthenticator (Cert Management -> Cert Authorities -> Import). These will be provided by the CA. If it is missing, open the certificate and check Certification Path tab, expand it to see the root CA and intermediate CA that are needed to complete the chain.
4) Switch the FortiAuthenticator web server to the new certificate (System -> Administration -> System Access -> HTTPS Certificate) and the issuer of it (the root CA that's just been uploaded).
5) Make sure HTTP redirect is enabled on the FortiGate, User&Auth, Auth, Certificate. If a similar address is visible in the taskbar (the default gateway of the Wi-Fi interface, the FortiGate in this case), instead of the FortiAuthenticator, then this option is disabled, it needs to be enabled for this setup:
|
