Description
This article explains the security alert 'The information you’re about to submit is not secure' on the browser when using the captive portal.
Scope
FortiGate.
Solution
An external captive portal is configured using FortiAuthenticator as the authentication server, with the redirection URL set to https://www.google.com.
The captive portal config on FortiGate is as below:
Users get the authentication page and after entering the credential, get 'FORM is not secure' with URL: 172.31.128.10:1000/fgtauth. The bypass can be achieved by selecting 'send anyway'.
Here the IP address 172.31.128.10 is the FortiGate LAN interface IP where the captive portal is set:
The 'Form is Not Secure' alert appears consistently across all browsers.
The 'Form is Not Secure' warning is triggered because the FortiGate captive portal authentication page is served over HTTP instead of HTTPS. Modern browsers display this security alert to indicate that forms on HTTP pages are insecure, as data, including credentials, is transmitted in plain text.
Insecure HTTP Connection: The URL http://172.31.128.10 :1000/fgtauth uses HTTP instead of HTTPS. Most browsers now display a 'Not secure' warning when users enter information on HTTP forms.
Observation shows that port 1000, the default HTTP authentication port, is being used. This can be verified in the below settings to determine whether HTTP or HTTPS is configured for the captive portal.
config user setting
set auth-secure-http disable
end
To mitigate this issue, the following changes are required:
Enable Secure HTTP: Set auth-secure-http to enable to switch the captive portal to HTTPS.
Use this setting:
config user setting
set auth-secure-http enable
end
The 'form is not secure' alert will no longer appear, and upon successful authentication, the page will redirect to the URL specified in the FortiGate captive portal settings.
