I am experiencing issues with the fortigate WPA2 personal+captive portal deployment. I have used the portal type disclaimer+auth and I have found two main problem:
- First, when the users successfully login, they are redirected to the port 1000 of the firewall and not the original request as configured. For example , lets think that the user has accessed to google.com, after login in the captive portal they are not redirected to google.es, they are redirected to the firewall IP and port 1000. Any idea of the source of this issue?
- Second, When the users fails their credentials, thay are no longer able to relogin, they need to discconect themselves from the SSID and connect again to be able to relogin.
generally: how is the captive portal triggered, how is it set up?
Is this done on the interface level or per firewall policy?
You can check for 1)
it sounds like the user is supposed to login once again, so the login might not have been captured.
To see what has been known to the firewall you can use the firewall user monitor or from the CLI diag firewall auth list.
2) - I'd do exactly the same and check whether the user is known. The firewall session will be denied - but a session = srcIP:srcport<>dstIP:dstport (and user if any). If that same session is re-used, the user will be denied by the same FW policy. Choose to connect to another site, and you should be asked to authenticate again.
After authenticating, the user is below the firewall auth user list. It seems that the error is just with the http redirection. This issue starts when you ignore the auto-prompted captive portal and you start to navigate.
At this step, the fortigate intercept the traffic and shows the captive portal. If you login successfully, you are redirected to the fw IP and the port 1000, set as auth-port in the fortigate global configuration. Does anybody suffered this in 6.0.13 version?
I've having a similar issue running v6.2.10. We have a guest WiFi network using WPA2 Personal with Captive Portal. Our settings are "Disclaimer Only" for Portal Type and "Original Request" for the Redirect After. After a guest connects to the SSID, the default browser automatically opens with a redirect "detector" (Edge, Firefox and Chrome). Then it redirects to the FGT on port 1003. Firefox mentioned issues with certificates and with HSTS.