Description
This article explains how to use Secure authentication page on FortiGate.
Scope
Solution
When enabling Authentication (and/or Disclaimer) on a Firewall Policy, the FortiGate offers the option to redirect an HTTP authentication page to a Secure Channel (HTTPS).
In this scenario, the authentication page is redirected to a new HTTPS port and to the ingress FortiGate IP address.
The process is as follow:
[ USER ] ---- network ----- port1 [ FortiGate ] -- Resources
1 --------> User traffic hits a Firewall Policy with authentication and HTTPS redirect.
2 <------- Redirect with HTTPS port and IP address of port1.
3 --------> Authentication.
4 --------> Access to initial page requested .
In some instances, the FortiGate could be behind another router using a VIP, hence not reachable directly, or the administrator could want an FQDN name to be sent in place of an IP address
The network could now be as follow:
[ USER DEVICE ] ---- Internet -----[ Router] ---- port1 [ FortiGate ] -- Resources
(private IP)
In this case, the solution is to change the redirection information.
1) By giving a DNS entry (that the FortiGate and the user's device must be able to resolve).
#config firewall policy
edit <my_policy_ID>
set auth-redirect-addr "my.fortigate.com"
next
end
In this first case, the URL that the user's browser will see is : https://my.fortigate.com:1003/
Note: URL, such as the example "my.fortigate.com", is not an external server, but points back to the FortiGate.
This should be configured in the DNS server, or locally.
2) By specifying an IP address directly.
#config firewall policy
edit <my_policy_ID>
set auth-redirect-addr "the_public_Virtual_IP"
next
end
Reminder: The HTTPS redirect function and port can be configured from the following CLI commands:
#config user setting
set auth-secure-http enable (default = disable)
end
config system global
set auth-https-port 1442 (default = 1003)
end
In the case it is required to configure a different presented certificate, the parameter is:
#config user setting
set auth-cert <auth-cert>
set auth-ca-cert <auth-ca-cert>
In this case, auth-cert must be signed by auth-ca-cert in order not to trigger the untrusted certificate error, and the auth-ca-cert must be added to the browser.
Also, the CA certificate used in the user setting should be the same used in the ssl-inspection profile.
In case it is required to use the Captive Portal for Guest Users with HTTPS, make sure that a certificate signed by a Public CA is used.
Also make sure that Captive Portal detection on Client works. Otherwise the authentication page will come with the auth-ca-cert (which will obviously not be trusted by the client because it’s the private CA).
Further details about Captive Portal detection can be found on this external page:
https://success.tanaza.com/s/article/How-Automatic-Detection-of-Captive-Portal-works
For further information about authentication, please consult the "User Authentication User Guide" and the "Fortinet CLI guide" which may be found at http://docs.fortinet.com.
