Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KennethH
New Contributor III

Captive Portal DNS help

Hello,

I am trying to setup captive portal for BYOD.

Using this guide:
https://www.historiantech.com/how-to-set-up-a-byod-guest-portal-with-fortiauthenticator-fortigate-an...

 

My issue is when the PC connects to the SSID, the wifi interface is set as DNS server.

Getting this from FAZ:

KennethH_0-1643271670255.png
the source is connected to the Guest-WIFI and client-ip is 172.31.120.2

captive-portal-exempt is also enabled and exempt is set on the interface.

KennethH_1-1643271993910.png

 

 

Does any of your great minds, have any idea why?

Why is the client blocked from the DNS?

 

 



Learning fortinet....... :)
6 REPLIES 6
Mohit_S
Moderator
Moderator

Hello,

Thanks for posting to the Fortinet Community Forum.

Let me know if the below mention links help in your configuration.

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/934626/captive-portals

https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/982856/captive-portal-wifi-access-contro...

Mohit - Fortinet Community Team
Debbie_FTNT
Staff
Staff

Why is the WiFi interface set as DNS server? Is that intended and included in the DHCP options?

Did you set up a DNS database entry for the interface and a forwarder, so FortiGate/FortiWifi can handle/forward DNS requests coming to that interface?

Also, while the policy looks ok, the destinations are very specific. I don't know what IP 172.31.120.1 is, but if that's not your WiFi interface, then the traffic might not match the policy.

You could also go into the captive portal settings themselves and just exempt DNS service in general (under exempt destinations/services).

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
KennethH
New Contributor III

Hello Debbie,

Now its time to get this Captive Portal working :)

Using this guide:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-How-to-configure-FortiGate-Captiv...

Note: I want to use the captive portal on Wifi not wired
I have the same problem as always..
The fac is not returning any respons to the client
Browser error: ERR_EMPTY_RESPONS


Learning fortinet....... :)
Debbie_FTNT

Hey Kenneth,

 

the guide should apply to WiFi just as much as wired - you do the captive portal settings in SSID instead of the interface, but that's about the only difference.
I assume from your statement the FortiGate is redirecting to FortiAuthenticator, but instead of the FortiAuthenticator login page opening, the browser displays 'ERR_EMPTY_RESPONSE'?

Can you double-check the portal policy in FortiAuthenticator? It needs to have two different IPs set - the IP FortiGate uses as RADIUS client (usually the interface it uses to communicate with FortiAuthenticator), and the IP/hostname of the interface it uses to redirect to captive portal (SSID interface IP).

In addition, you can check the following in FortiAuthenticator:
- go to https://<fortiauthenticator>/debug 
- select 'RADIUS Authentication' in the drop down
-> FortiAuthenticator treats captive portal authentication attempts as RADIUS against itself, so you might see something like 127.0.0.1:x -> 127.0.0.1:1812 and NAS-Identifier including the string 'FAC_GUEST'

 

Aside from that debug, double-check that you have an HTTPS server certificate set on FortiAuthenticator, and that captive portal is allowed in the FortiAuthenticator interface.

If the issue persists despite this, I would suggest opening a ticket with Fortinet Technical Support for some in-depth troubleshooting.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
KennethH
New Contributor III

Got it working after talking to TAC - The problem was certificate settings on FGT under auth-portal

Learning fortinet....... :)
Debbie_FTNT

Hey Kenneth,

thanks for letting us know :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++