Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
kiri
Staff & Editor
Staff & Editor

Created on ‎11-21-2021 10:44 PM Edited on ‎08-27-2024 05:07 AM By Community Manager

Article Id 199160

Troubleshooting Tip: How to fix guest portal 'Log in to network' loop and 'Not secure' error

Description

This article describes how to resolve an issue with FortiGate Wi-Fi guest access with FortiAuthenticator as an external portal. The end user may see the following message in the browser and be asked to authenticate over and over again.
This is part of the captive portal detection of the browser and operating system.
Also, the page is marked as 'Not Secure', despite connecting via HTTPS:

Anthony_E_0-1637656590817.png

 
Scope FortiAuthenticator 6.X.
Solution

The end users may not trust the server certificate of the FortiAuthenticator.
If the end users are managed devices, push the FortiAuthenticator server certificate's issuing CA certificate to the end users via GPO. Contact the internal CA team for doing so.
If the end users are not managed, guest users outside the domain, or have unmanaged BYOD devices: the internal/private root CA certificate cannot be pushed.

As a result, the certificate used for the FortiAuthenticator portal must be issued by a publicly trusted CAs, so no certificate error is displayed, and user experience is seamless:

 

Make sure FortiAuthenticator has a hostname configured, and the guest can resolve this to an IP. For example: fac.bogusinc.xyz –> System -> Dashboard -> Status -> Device FQDN.


If necessary, FortiGate can be configured as a DNS server on the guest interface.

 

 

  1. Source a certificate from a public CA and ensure the SAN is there. Some browsers will show errors if this is missing.

    It may also be a wildcard certificate.

  2. Import the certificate on the FortiAuthenticator(Cert Management -> Local Service -> Import).

  3. Import the root CA and any intermediate CA on the FortiAuthenticator (Cert Management -> Cert Authorities -> Import).
    These will be provided by the CA. If it is missing, open the certificate and check the Certification Path tab, and expand it to see the root CA and intermediate CA that are needed to complete the chain.

  4. Switch the FortiAuthenticator web server to the new certificate (System -> Administration -> System Access -> HTTPS Certificate) and the issuer of it (the root CA that has just been uploaded).

  5. Make sure HTTP redirect is enabled on the FortiGate, User&Auth, Auth, Certificate.
    If a similar address is visible in the taskbar (the default gateway of the Wi-Fi interface, the FortiGate in this case) instead of the FortiAuthenticator, then this option is disabled. It needs to be enabled for this setup:

 

 

Screenshot 2021-11-13 101053.png


Once all of the above steps have been completed, the user should be able to authenticate without getting any errors:


Capture.JPG
4334
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.