Fortigate wifi external portal authentication with FortiAuthenticator
My Fortigate environment for wifi guest user is a external authentication portal by FortiAuthentication; i replace the Fortinet certicate SSL with my own CA ( Sectigo ) to avoid warning certificate from browser. The workflow begin with the external page of FortiAth " https://fac.xxzxzxzxx.YY/portal"; authentication is processed by Fortiauth but the browser goes redirect at internal page in this url "10.12.0.1:1000/fortiauth.... " without also the HTTPS form... This is the IP internal interface of Fortigate for the specific SSID. The browser warning that it's insecure because it's not in HTTPS and show the warning to trasmit the credential in a non secure channel... How do I avoid this warning and continue the protected session?
No, not going. Until the request goes to FortiAuth is ok but after the authentication it's redirect to Fortigate and an error page shows.. and the url change the port "10.12.0.1:1003/fortiauth" ( before was 10.12.0.1:1000/fortiauth)
In addition to Markus' update, one common fix is as follows:
On FortiGate, define a URL for its own captive portal: #config firewall auth-portal
#set portal-addr <portal.domain.com> #end Also specify HTTPS and an appropriate certificate in user settings: #config user setting #set auth-secure-http enable #set cert <cert matching portal URL above> #end -> This takes care of FortiGate captive portal being trusted
On FortiAuthenticator, you need to adjust the portal policy a bit; the Access Point entry in the portal policy needs to contain the FortiGate's portal address, not interface IP. The flow will be roughly: -> user hits FortiGate captive portal (with HTTPS/URL/trusted cert) -> user gets redirected to FortiAuthenticator portal (with HTTPS/URL/trusted cert) -> user authenticates -> FortiAuthenticator sends back to FortiGate portal (HTTPS/URL/trusted cert) -> FortiGate directs to specified URL or original request
There can be issues if FortiGate captive portal is on HTTP and FortiAuthenticator on HTTPS, for example; after authentication FortiAuthenticator would direct back to an HTTP page, and many browers do not allow redirect from an HTTPS page to HTTP. If on the other hand you're using HTTPS captive portal on FortiGate, then there's certificate issues if default certificates are used.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Debbie it’s OK, works and i don’t have anymore warning in the browser for Windows notebook but for Apple device ( macOS and iOS) don’t start the captive portal for authentication even if I open a browser.. any idea ..?
Apple devices make use of Captive Network Assistant (CNA) which can detect the use of a captive portal. The apple device attempts to visit the page captive.apple.com. If the apple device is successful, the CNA doesn't load, but if it unsuccessful, then it launches a browser to prompt the user with the login page from the captive portal. When this browser is inadvertently closed or ignored, the device is disconnected from the network. Often times the user is unaware and does not know why email and updates are not being downloaded.