Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ac1
Contributor

After authentication a fortigate page appears

Hello everyone,
When a guest user authenticates via the captive portal, a FortiGate page appears on the browser with the address ---> http://192.168.x.x:1000/fgtauth
By pressing the "Send anyway" button you can navigate correctly.

How is it possible to remove this page?

Browser: Chrome
Captive Portal: FortiAuthenticator v6.1.2, build0420 (GA)

Thanks
Andrea

1 Solution
ac1

There were 3 different problems. I had to:

  • set the Authentication Settings with wildcard public certificate and redirects
  • create an A record on the DNS Server with the IP of the FortiGate guest interface
  • create on FortiAuthenticator an AP with fqdn of the fortigate, not the ip or others
  • correct the radius authentication, removing the membership group from the FortiGate.

Now everything is working correctly.
guest user registration -> sending mail to the sponsor -> guest user authorization by the sponsor -> credentials arrive to the guest user -> guest user login -> navigation without error pages.

 

I have become an expert on this subject. if you need write me and I will be happy to help.

 

View solution in original post

11 REPLIES 11
lmarinovic
Staff
Staff

Hello Andrea,

 

You can check this KB:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-secure-authentication-HTTPS-on-a-For...

 

Look at the part after 2nd point.

 

"Reminder: The HTTPS redirect function and port can be configured from the following CLI commands:

#config user setting
    set auth-secure-http enable  (default = disable)"
Try to configure secure https on FortiGate. If on the other hand you get certificate warning, you can take a look at the next part about certificates and how to workstation needs to trust the website.

 

Best regards,

 

Lazar Marinovic

 

Best regards

Lazar Marinovic
lmarinovic
Staff
Staff

Also you can crosscheck Security Mode Settings and Authentication under interface settings. Did you put portal type to Authentication and External Authentication portal and then FAC address.

 

And also did you did the "set captive-portal-exempt enable" on policy?

 

Take a look at this KB if you didn't:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-Captive-Portal-Exemption-on/...

 

Best regards,

 

Lazar Marinovic

Best regards

Lazar Marinovic
ac1

Hi Lazar,

this is my configuration:

config system interface   
   edit "GUEST"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping
        set alias "200"
        set security-mode captive-portal
        set security-external-web "https://guestportal.guest.com/portal/"
        set security-redirect-url "https://www.google.com/"
        set security-exempt-list "GUEST-exempt-list"
        set security-groups "RADIUS-Guest"
        set device-identification enable
        set snmp-index 48
        set interface "port6"
        set vlanid 200
    next
end

config firewall policy
    edit 400
        set name "Guest_to_FortiAuthenticator"
        set srcintf "GUEST"
        set dstintf "LAN-FortiAuthenticator"
        set srcaddr "LAN-GUEST"
        set dstaddr "SRV-FortiAuthenticator"
        set action accept
        set schedule "always"
        set service "HTTPS" "ALL_ICMP" "HTTP"
        set logtraffic all
        set captive-portal-exempt enable
    next
end

 

After the user has successfully authenticated to the captive portal of the FortiAuthenticator, a web page appears with the IP of the FortiGate (with the IP of the Guest):

error.png

 

sorry for the bad resolution!

If the user clicks on "Send anyway" the google page appears and the navigation works.

 

Thanks

Andrea

ac1
Contributor

Hi Lazar,

this is my configuration:

 

config system interface   
   edit "GUEST"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping
        set alias "200"
        set security-mode captive-portal
        set security-external-web "https://guestportal.guest.com/portal/"
        set security-redirect-url "https://www.google.com/"
        set security-exempt-list "GUEST-exempt-list"
        set security-groups "RADIUS-Guest"
        set device-identification enable
        set snmp-index 48
        set interface "port6"
        set vlanid 200
    next
end

config firewall policy
    edit 400
        set name "Guest_to_FortiAuthenticator"
        set srcintf "GUEST"
        set dstintf "LAN-FortiAuthenticator"
        set srcaddr "LAN-GUEST"
        set dstaddr "SRV-FortiAuthenticator"
        set action accept
        set schedule "always"
        set service "HTTPS" "ALL_ICMP" "HTTP"
        set logtraffic all
        set captive-portal-exempt enable
    next
end

config user setting
    set auth-type http https
    set auth-cert "Fortinet_Factory"
    set auth-timeout 15
end

The user successfully authenticates to the captive portal on the FortiAuthenticator, but then this page appears:

error.png

 

Sorry for bad resolution.

 

If the user clicks on "send anyway" the google page appears and the navigation works.

I want to remove this page beacause all the rest of configuration works correctly.

 

Thanks

Andrea

ac1
Contributor

I configured the authentication settings on FortiGate:

config firewall auth-portal
    set portal-addr "firewall.mydomain.net"
end

config user setting
    set auth-type http https
    set auth-cert "wildcard_mydomain_net_2023"
    set auth-secure-http enable
    set auth-timeout 15
end

config system dns-database
    edit "mydomain.net"
        set domain "mydomain.net"
        set authoritative disable
        set forwarder "1.1.1.1" 
        config dns-entry
            edit 1
                set hostname "guestportal"
                set ip x.x.x.x
            next
            edit 2
                set hostname "firewall"
                set ip x.x.x.x
            next
        end
    next
end
config system dns-server
    edit "GUEST"
    next
end

But now any user fails to authenticate on the portal....

I'm desperate...

The last chace is update the FortiAuthetnticator to version 6.4.1.

 

ac1

Debbie_FTNT

Hey ac1,

Did you set the portal-address in FortiGate recently?

FortiAuthenticator captive portal policies rely on IP or hostname of the FortiGate to match, and if you set  a portal address on FortiGate, you have to create/edit an access point in the portal policy on FortiAuthenticator to contain that address, NOT the IP.

 

Check under https://<FortiAuthenticator>/debug - there should be 'RADIUS Authentication in the drop-down menu'. It will contain requests like 127.0.0.1->127.0.0.1, with NAC_Identifier FAC_GUEST; that's the captive portal authentication bit.

Check if there is an error like 'AP does not match policy x'.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
ac1

There were 3 different problems. I had to:

  • set the Authentication Settings with wildcard public certificate and redirects
  • create an A record on the DNS Server with the IP of the FortiGate guest interface
  • create on FortiAuthenticator an AP with fqdn of the fortigate, not the ip or others
  • correct the radius authentication, removing the membership group from the FortiGate.

Now everything is working correctly.
guest user registration -> sending mail to the sponsor -> guest user authorization by the sponsor -> credentials arrive to the guest user -> guest user login -> navigation without error pages.

 

I have become an expert on this subject. if you need write me and I will be happy to help.

 

Fabio
New Contributor III

Hello ac1,

I post a topics few days ago ( https://community.fortinet.com/t5/Fortinet-Forum/Fortigate-wifi-external-portal-authentication-with/... ) and I was in the same your situation. With useful tips from Debbie_FTNT and other I have come to your own conclusions ( the only different it's the DNS record of Fortigate signed in my filehost not in DNS server for testing .. ) . But the problem it's to connect the Apple device, MacOS and iOS devices.. For they don't appear the captive portal .. and also if i open a browser manualy don't show anything and i can't authenticat..

Do you try with this devices?

 

Regards

 

Fabio

Fabio
Fabio
New Contributor III

Why you remove the last point "in the radius authentication, removing the membership group from the FortiGate " ?

Fabio