Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Koushik_IND_Banglore
Staff
Staff

Created on ‎09-30-2024 09:49 PM Edited on ‎11-28-2024 09:18 PM By Staff

Article Id 345917

Technical Tip: Captive Portal authentication issue with updated versions of Chrome

Description This article describes a workaround for captive portal authentication when it is blocked on Chrome due to HSTS enforcement (updated versions of Chrome).
Scope FortiGate.
Solution

While using Chrome browser users are not getting the authentication page (it happens with new updated versions of Chrome). This happens when browsing specific sites before authentication (for example google.com) on Chrome.


The reason for this issue is that Google Chrome (new Version) now implementing HSTS for a couple of sites including google.com, which prevents intermediate redirection like to a Captive portal.


With many websites now enforcing HSTS, secure captive portals fail to load when the user tries to browse to an HSTS-enforced site like Google or Facebook. The browser assumes the redirect is an MITM attack and refuses to let through to the portal. At a high level, HSTS (HTTP Strict Transport Security) is a policy that, when enabled, forces a browser to use an HTTPS connection over an HTTP and allows for the SSL certificate for a site to be cached on the browser for a predetermined length of time.

 

Once HSTS is enabled, a timeout will be sent with the HTTPS header that contains an HSTS TTL 'Strict-Transport-Security: max-age=31536000'. The certificate received from the site will be honored until the timeout expires. Future attempts to access the site will reference the certificate and, if the certificate does not match, the browser will not allow the connection to the site to be established. 

 

While using the FortiGate captive portal, when users first browse e.g: google.com the session is intercepted and redirected to the captive portal address, the redirected communication uses FortiGate's self-sign or user's imported CA cert (3rd part signed ) and Chrome does not allow the cert for HSTS enabled sites (google.com).

 

Users will see the following error:

 

HSTS.png


This is a browser-side feature/security policy recently implemented by Chrome for selected sites which prevents HTTP redirection to a Captive Portal.

 

The issue can be resolved by enabling secure authentication, as shown below:

 

MAIN_FW (setting) # show
config user setting
    set auth-cert "Fortinet_Factory"
    set auth-ca-cert "Fortinet_CA_SSL"
    set auth-secure-http enable
end

 

After the above changes, download the 'Fortinet_CA_SSL' certificate from the FortiGate firewall and install it on all end-users PCs.


As a workaround, use a non-HSTS site while trying to authenticate for the first time (for example Fortinet.com). Or use Edge or Firefox to initial the authentication. After successful authentication users can use Chrome for internet access.
2603
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.