Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Unai_SecFnet
New Contributor II

WiFi captive portal problems

Hi Team!

 

I am experiencing issues with the fortigate WPA2 personal+captive portal deployment. I have used the portal type disclaimer+auth and I have found two main problem:

 

- First, when the users successfully login, they are redirected to the port 1000 of the firewall and not the original request as configured. For example , lets think that the user has accessed to google.com, after login in the captive portal they are not redirected to google.es,  they are redirected to the firewall IP and port 1000. Any idea of the source of this issue?

 

- Second, When the users fails their credentials, thay are no longer able to relogin, they need to discconect themselves from the SSID and connect again to be able to relogin.

 

Thanks for help! 

5 REPLIES 5
Mohit_S
Moderator
Moderator

Welcome to the Fortinet community and Thank you for your post. Hopefully, you've been keeping safe and doing well!


We see you are facing the issue with WIFI Captive Portal.


You should receive an update from one of the team members soon on. Thanks for your patience on this.

Mohit - Fortinet Community Team
Markus_M
Staff
Staff

Hey Unai_SecFnet,

generally: how is the captive portal triggered, how is it set up?

Is this done on the interface level or per firewall policy?

 

You can check for 1)

it sounds like the user is supposed to login once again, so the login might not have been captured.

To see what has been known to the firewall you can use the firewall user monitor or from the CLI diag firewall auth list.

2) - I'd do exactly the same and check whether the user is known. The firewall session will be denied - but a session = srcIP:srcport<>dstIP:dstport  (and user if any). If that same session is re-used, the user will be denied by the same FW policy. Choose to connect to another site, and you should be asked to authenticate again.

 

Best regards,

 

Markus

Unai_SecFnet

Hi Markus,

 

Thanks for support, I will check over both and I will update the thread. The captive portal is configured in the interface level, it is a WiFi WPA2+disclaimer+captive portal solution.

Unai_SecFnet
New Contributor II

Hi Marcus,

 

After authenticating, the user is below the firewall auth user list. It seems that the error is just with the http redirection. This issue starts when you ignore the auto-prompted captive portal and you start to navigate.

At this step, the fortigate intercept the traffic and shows the captive portal. If you login successfully, you are redirected to the fw IP and the port 1000, set as auth-port in the fortigate global configuration. Does anybody suffered this in 6.0.13 version?

 

Thanks!

NickBurns

Hi Unai_SecFnet,

I've having a similar issue running v6.2.10.  We have a guest WiFi network using WPA2 Personal with Captive Portal.  Our settings are "Disclaimer Only" for Portal Type and "Original Request" for the Redirect After.  After a guest connects to the SSID, the default browser automatically opens with a redirect "detector" (Edge, Firefox and Chrome).  Then it redirects to the FGT on port 1003.  Firefox mentioned issues with certificates and with HSTS.

Haven't found a solution yet.