When a computer connects to the network, requests are sent to certain sites (depending upon the operating system). If the response is anything other than what is expected, it is assumed there is no internet connection. The captive portal automatically launches (presenting the captive portal) and the user is notified that they are in a Captive Network. Once the captive portal launches, the user enters information to register.

1. Refer to the Enable Captive Network Assistant reference manual in the Fortinet Document Library for a list of domains each operating system uses.
2. Navigate to System -> Settings -> Control -> Allowed Domains and verify that these domains are not present in the list.  
3.  If any domains are found, delete the domain, then save settings.   
4. Reboot the phone to flush the DNS cache and reconnect.
   
   

If problems persist, refer to the applicable section below.

iOS and macOS:
Verify the isolated host is sending requests to hotspot-detect.html or library/test/success.html. 

In the FortiNAC CLI type:

execute enter-shell  (required only in FortiNAC-F NACOS)

logs
grep <isolation IP address of host> /bsc/logs/apache/access_log | egrep -i "hotspot-detect.html|library/test/success.html"

Confirm that a 302 is sent in response.  The test device should receive an automatic popup of the CNA.

Windows:

Verify the isolated host is sending requests to ncsi.txt. 

In the FortiNAC CLI, type:

execute enter-shell  (required only in FortiNAC-F NACOS)

logs

grep <isolation IP address of host> /bsc/logs/apache/access_log | grep -i "ncsi.txt"

Confirm that a 302 is sent in response.  The test device should receive an automatic pop-up of the CNA.

Android:

Verify the isolated host is sending HTTP requests to either generate_204 or gen_204.

In the FortiNAC CLI type:

execute enter-shell  (required only in FortiNAC-F NACOS)

logs

grep <isolation IP address of host> /bsc/logs/apache/access_log | egrep -i "generate_204|gen_204"

Confirm that a 302 is sent in response to one of the requests. The test device should receive an automatic pop-up of the CNA.

Test that the device receives a notification about isolation from the system, and not an app like Facebook Messenger, as some apps implement their check.

Other Issues:Captive Portal appears automatically but blank white screen is displayed. This can occur when the server to which the phone was redirected is considered unreachable.   

Solution:

Update the target to reflect the Portal FQDN defined under Portal -> Portal SSL.

Further Troubleshooting:

If behavior persists, take a packet capture from FortiNAC (viewable via Wireshark).

Start packet capture on eth1/port2.  

• FortiNAC (CentOS)

logs

tcpdump -i port2 host x.x.x.x and port 53 or port 443 or port 80 -w CaptureCNA.pcap

File CaptureCNA.pcap will be located in /bsc/logs. WinSCP client can be used to collect the file.

• FortiNAC-F (NACOS)

execute tcpdump -i port2 host x.x.x.x and port 53 or port 443 or port 80 -w CaptureCNA.pcap

When finished, stop the capture. The file will be located in /home/admin directory. Use a TFTP/FTP/SCP Server to collect the file.

• Reboot the phone to ensure DNS is flushed.
• Reconnect the phone.
• Once the phone is connected and no pop-up occurs, Ctrl-C to stop capture.
• Attach a capture to the support ticket and provide the test phone's IP address.