Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mricardez
Staff
Staff

Created on ‎02-21-2022 10:08 PM Edited on ‎11-28-2024 10:19 PM By Staff

Article Id 205261

Technical Tip: Preventing certificate warnings using captive portal

Description This article describes how to configure certificates in FortiGate to avoid certificate warnings using a captive portal in the firewall policy.
Scope FortiGate v6.0, v6.2 and earlier.
Solution

When the authentication LDAP is enabled into Firewall Policy, the FortiGate will trigger the Captive Portal authentication to user in order to get their user/passwords and validate it against the LDAP server.

 

By default, FortiGate will use port 1000 to authenticate HTTP and 1003 to HTTPS traffic.

 

config system global

    set auth-http-port 1000
    set auth-https-port 1003 

 

When FortiGate received traffic of unauthenticated user IP, the FortiGate proxied the connection and sent an HTTP redirect to user's browser, in order to connect to FortiGate's internal IP to port 1000/1003 to authenticate.

 

For example, the unit debian-fortinet (192.168.81.101) does not belong to AD domain, but using LDAP authentication the device will authenticate against the LDAP server.

 

mricardez_0-1645462306815.png

 

When the user in debian-fortinet browses to a site with HTTPS (i.e https://www.google.com), the browser will show the following error, since the FortiGate will intercept the connection and use the Fortinet_CA_SSL certificate to sign the certificate on the fly to Google, so the browser will identify it as invalid since is not a public CA.

  

The FortiGate needs to intercept the HTTPS connections and impersonate the end site because needs to inject the http messages to redirect the connection to https://fortigate_ip:1003 to authenticate the user.

 

mricardez_0-1645465495256.png

 

To avoid certificate warning in the browser during the captive portal authentication it is possible to apply the following procedure:

 

  1. A DNS record is needed to fortigate_ip, because a valid certificate to that IP address will be necessary. The fortigate_ip is the IP address internal of FortiGate, usually the default_gateway  of the LAN's  PC.

 

>nslookup captiveportal.markoz.local
Server: UnKnown
Address: 192.168.80.1

Name: captiveportal.markoz.local
Address: 192.168.81.254

 

  1. A valid certificate with SAN issued by a public CA, a wildcard certificate (*.markoz.local) has been used, for lab purposes.

 

mricardez_1-1645469614668.png

 

  1. In the LAB environment no access to sign the certificate with a Public CA, so a private CARoot has been created to sign the certificate of 2).

 

mricardez_2-1645469718574.png

 

  1. Import the wildcard certificate to FortiGate, the CRT and Private Key have been imported since the CSR and CRT were created external to FortiGate. If the CSR in FortiGate through the GUI is created, it is only necessary to import the CRT received from the CA Public.

 

mricardez_3-1645469851637.png
  1. Import the CARoot Private to FortiGate.

 

mricardez_0-1645470204061.png

Note.

If the wildcard certificate was issued by a Public CA this step can be skipped. However, the issuer of that wildcard certificate [sometimes intermediate certificate] should be added as 'Remote CA' in the FortiGate if not already there.

To check for existing Root CA certificates, follow: Technical Tip: How to View the Default Trusted CA Certificates on FortiGate and to verify the certificate chain, follow: Technical Tip: How to avoid certificate error message by chaining Root CA and Intermediate CA certif...

 

  1. Configure the FortiGate to use the following URL as captive portal.

 

config firewall auth-portal
    set portal-addr "captiveportal.markoz.local"
end

 

  1. Configure the certificates as follows, the wildcard will be used when the browser connects to captiveportal.markoz.local, and the ca.crt.pem will be the CAPrivate certificate used to impersonate the first URL attempted on the browser URL.

 

config user setting
    set auth-cert "wildcard.markoz.local.crt.pem"
    set auth-ca-cert "ca.crt.pem"
    set auth-secure-http enable
end

 

Optionally in the auth-ca-cert it is possible to use the default CAPrivate Fortinet_CA_SSL.

 

The Fortinet_CA_SSL is the certificate used on the deep-inspection profile of SSL/SSH Inspection since all browsers in the LAN must have installed it to avoid warning certificates during regular browsing when deep-inspection has been enabled on firewall policies.

 

The next time a user tries to browse to an HTTPS site, the FortiGate will intercept the connection and will redirect to https://captiveportal.markoz.local:1003 to authenticate the user without a certificate warning.

  

mricardez_0-1645471296623.png

 

 

 

 

Related articles:

Technical Tip: Using secure authentication (HTTPS) on a FortiGate and redirecting the authentication...

Technical Tip: How to change the Captive Portal certificate

Technical Tip: Change the captive portal port
23425
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.