Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hatibi
Staff
Staff

Created on ‎09-14-2023 04:57 AM Edited on ‎09-15-2023 11:20 AM By Community Manager

Article Id 273615

Technical Tip: FortiNAC Anonymous Authentication in Captive portal fails the registration with 'Unsupported Error'

Description

 

This article describes the usage of Anonymous Authentication in the FortiNAC captive portal and the debugging needed to troubleshoot Registration Failures.

 

Scope

 

FortiNAC.

 

Solution

 

The Anonymous Authentication feature can be enabled in the FortiNAC captive portal in order to register Guests as Devices without any user tracking.

So a guest opens the portal and may be prompted to simply accept an Acceptable Usage policy and then be immediately registered as a device with a Role that can be leveraged to give them limited access through Network Access policies. There will be no Guest templates and the user will not have any credential prompt to login.

This is helpful in scenarios where there is no interest in having Guest Management and there is no need to track logged-in users providing ease of access for guests to a specific VLAN. 

 

Configuration.

 

Step 1. Enable Anonymous Authentication in the Login menu.

 

Go to Portal -> Portal Configuration -> Registration -> Login Menu and enable the 'Anonymous Authentication Enabled' service.

 

Anonymous_login_menu.png

 

Step 2. Define the Acceptable Use Policy Settings.

 

Go to Portal -> Portal Configuration > Registration -> Anonymous Authentication

In the 'Acceptable Use policy', select 'Show in Page', so the end user will be required to confirm and acknowledge the Policy on the Captive portal and then continue with the registration process.

 

Anonymous_Auth_Acceptable_use_policy.png

 

Step 3. Define the Role that will be assigned to registered Devices through Anonymous authentication.

 

Go to Portal -> Portal Configuration -> Registration -> Anonymous Authentication Form.

 

Anonymous_Auth_form.png

 

After making the change, select 'Apply' at the bottom of the Portal Content Editor.

 

Validation.

 

At this point, a Guest user can test by connecting to the network. Initially, FortiNAC will enforce state base control by putting the Host in isolation and marking it as a Rogue in the Host's view. FortiNAC acts as a DHCP and DNS server for isolated hosts and will respond with the Captive portal page to each HTTP request sent by the isolated endpoints.

 

The Guest user will be presented with the following page:

 

Anonymous_prompt.png

Once the user selects Anonymous Authentication, it is necessary to select the 'Acceptable Usage Policy' button and then submit.

 

In some cases the following errors might appear:

 

Reg_failed.png

To debug Captive portal services following debugs should be enabled in FortiNAC -F:

 

diagnose debug plugin enable CaptivePortal
diagnose tail -F output.nessus

 

  1. The error 'Registration Failed unsupported error' might appear in cases FortiNAC has not yet built a Host record in its database yet and the user submits the authentication form.

The following debugs will show the failure reason:

 

yams INFO :: 2023-07-04 20:15:10:554 :: #94 :: CampusMECBean.authenticateSMA() -- Quick IP-->Mac lookup on ip:192.168.10.5 found DE:AD:BE:EF:CA:FE
yams INFO :: 2023-07-04 20:15:10:555 :: #94 :: CampusMECBean.authenticateSMA() -- HostRecord lookup found: null
yams INFO :: 2023-07-04 20:15:10:555 :: #94 :: CampusMECBean.authenticateSMA() -- Created dummy HostRecord
yams INFO :: 2023-07-04 20:15:10:566 :: #94 :: Policy Name = null
yams INFO :: 2023-07-04 20:15:10:566 :: #94 :: Encoded User Id from campusMECBean = 9EE5A6EH7CCAF6JH7CW5A5WM
yams INFO :: 2023-07-04 20:15:10:566 :: #94 :: CampusMECBean MAC_ADDRESS: DE:AD:BE:EF:CA:FE IP: 192.168.10.5
yams INFO :: 2023-07-04 20:15:10:566 :: #94 :: OS = Windows
yams INFO :: 2023-07-04 20:15:10:567 :: #94 :: agenTID = XXXXXXXXXXXXXXXXXXXXXXXXXXX
yams INFO :: 2023-07-04 20:15:10:733 :: #94 :: Starting Portal Application
yams INFO :: 2023-07-04 20:15:10:778 :: #94 :: SMARegistration.jsp -- PostKeys and/or PostVals is null.
yams INFO :: 2023-07-04 20:15:10:778 :: #94 :: IP = 192.168.10.5 checkForNAT = false
yams INFO :: 2023-07-04 20:15:10:779 :: #94 :: ajp-nio-127.0.0.1-8009-exec-2 BscBean.getMACforRemoteIP() Remote IP = 192.168.10.5
ProbeObject = null
yams INFO :: 2023-07-04 20:15:10:779 :: #94 :: ajp-nio-127.0.0.1-8009-exec-2 No RemoteAccess ProbeObject for for IP = 192.168.10.5
yams INFO :: 2023-09-11 20:15:10:816 :: #94 :: Registration failed: Registration Failed unsupported error

 

     b. In a working case FortiNAC should already have built the Host record and then will perform the registration on the host:

 

yams INFO :: 2023-07-04 13:59:00:891 :: #95 :: Auth Filter proxy running

yams INFO :: 2023-07-04 13:59:00:904 :: #95 :: getOS() IP 192.168.20.2 OS = Windows

yams INFO :: 2023-07-04 13:59:00:904 :: #95 :: ajp-nio-127.0.0.1-8009-exec-3 BscBean.getMACforRemoteIP() Remote IP = 192.168.20.2

ProbeObject = null

yams INFO :: 2023-07-04 13:59:00:905 :: #95 :: ajp-nio-127.0.0.1-8009-exec-3 No RemoteAccess ProbeObject for for IP = 192.168.20.2

yams INFO :: 2023-07-04 13:59:00:905 :: #95 :: CampusMECBean.authenticateSMA() -- Quick IP-->Mac lookup on ip:192.168.20.2 found DE:AD:BE:EF:CA:FE

yams INFO :: 2023-07-04 13:59:00:906 :: #95 :: CampusMECBean.authenticateSMA() -- HostRecord lookup found:      Host Record:

         Landscape = 4954321234 00:09:0F:00:09:0F

          ID = 203

          hostName = DESKTOP-FORTI8

          owner = null

          policy = null

          os = Windows 10

.

.

.

 

yams INFO :: 2023-07-04 13:59:00:941 :: #95 :: Policy Name = null

yams INFO :: 2023-07-04 13:59:00:941 :: #95 :: Encoded User Id from campusMECBean = XXXXXXXXXXXXXXXXXXXXXXX

yams INFO :: 2023-07-04 13:59:00:941 :: #95 :: CampusMECBean MAC_ADDRESS: XX:XX:XX:XX:XX:XX IP: 192.168.20.2

yams INFO :: 2023-07-04 13:59:00:941 :: #95 :: OS = Windows

yams INFO :: 2023-07-04 13:59:00:945 :: #95 :: agenTID = YYYYYYYYYYYYYYYYYYYYYYYYY

yams INFO :: 2023-07-04 13:59:00:961 :: #95 :: SMARegistration.jsp -- PostKeys and/or PostVals is null.

yams INFO :: 2023-07-04 13:59:00:961 :: #95 :: IP = 192.168.20.2 checkForNAT = false

yams INFO :: 2023-07-04 13:59:00:962 :: #95 :: ajp-nio-127.0.0.1-8009-exec-3 BscBean.getMACforRemoteIP() Remote IP = 192.168.20.2

ProbeObject = null

yams INFO :: 2023-07-04 13:59:00:962 :: #95 :: ajp-nio-127.0.0.1-8009-exec-3 No RemoteAccess ProbeObject for IP = 192.168.20.2

yams INFO :: 2023-07-04 13:59:01:048 :: #95 :: Registration complete

 

 

To verify if FortiNAC -F already has a Host record in its DB, use the following commands:

 

execute enter-shell
Client -mac <MAC> 
DumpHostRecords -mac <MAC>

 

**Replace <MAC> with the affected host MAC address**.

 

     c. Currently, 'Anonymous authentication' is not supported with a portal configured with Host Inventory used as the success page type.

 

This refers to the success page defined in Portal -> Portal Configuration -> Global>Settings.

 

Success_page type.png

 

 

Related document:

Splash page

730
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.