| Description | This article describes how to troubleshoot the issue with certificate warning when using a public CA signed certificate for captive portal. |
| Scope | FortiGate. |
| Solution | In this scenario, the captive portal is configured for WiFi SSID using SAML SSO authentication. Refer to this document for the configuration process: Technical Tip: Wireless Authentication using SAML credentials and as Azure IdP To configure the custom certificate for the captive portal page, go to User & Authentication -> Authentication Settings and choose the correct certificate from the drop-down list.  From the client side, verify that the captive portal page presents the correct certificate with a trusted public CA. In this case, the certificate is signed by GoDaddy, which is supposed to be a trusted CA by the browser, but the certificate warning is still observed.  Verifying packet capture on the Wi-Fi client, it is trying to download the CA cert from the Internet. This happens when the certificate chain cannot be completed, and the client is trying to download the missing CA certs. By default, this traffic will be denied as it happens before authentication.  To resolve the issue, create an exempt policy using FQDN and exempt it from the captive portal. config firewall address edit "certificates.godaddy.com" set type fqdn set fqdn "certificates.godaddy.com" next end config firewall policy edit 5 set name "SAML-AZURE-Wireless-Captive-Portal" set srcintf "SAML-WiFi" <- SSID interface set dstintf "wan1" <- WAN interface set action accept set srcaddr "all" set dstaddr "certificates.godaddy.com" set schedule "always" set service "HTTPS" "HTTP" set logtraffic all set nat enable set captive-portal-exempt enable next end |
