Hello everyone,
When a guest user authenticates via the captive portal, a FortiGate page appears on the browser with the address ---> http://192.168.x.x:1000/fgtauth
By pressing the "Send anyway" button you can navigate correctly.
How is it possible to remove this page?
Browser: Chrome
Captive Portal: FortiAuthenticator v6.1.2, build0420 (GA)
Thanks
Andrea
Solved! Go to Solution.
There were 3 different problems. I had to:
Now everything is working correctly.
guest user registration -> sending mail to the sponsor -> guest user authorization by the sponsor -> credentials arrive to the guest user -> guest user login -> navigation without error pages.
I have become an expert on this subject. if you need write me and I will be happy to help.
Hello Andrea,
You can check this KB:
Look at the part after 2nd point.
"Reminder: The HTTPS redirect function and port can be configured from the following CLI commands:
#config user setting
set auth-secure-http enable (default = disable)"
Try to configure secure https on FortiGate. If on the other hand you get certificate warning, you can take a look at the next part about certificates and how to workstation needs to trust the website.
Best regards,
Lazar Marinovic
Also you can crosscheck Security Mode Settings and Authentication under interface settings. Did you put portal type to Authentication and External Authentication portal and then FAC address.
And also did you did the "set captive-portal-exempt enable" on policy?
Take a look at this KB if you didn't:
Best regards,
Lazar Marinovic
Hi Lazar,
this is my configuration:
config system interface   
   edit "GUEST"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping
        set alias "200"
        set security-mode captive-portal
        set security-external-web "https://guestportal.guest.com/portal/"
        set security-redirect-url "https://www.google.com/"
        set security-exempt-list "GUEST-exempt-list"
        set security-groups "RADIUS-Guest"
        set device-identification enable
        set snmp-index 48
        set interface "port6"
        set vlanid 200
    next
end
config firewall policy
    edit 400
        set name "Guest_to_FortiAuthenticator"
        set srcintf "GUEST"
        set dstintf "LAN-FortiAuthenticator"
        set srcaddr "LAN-GUEST"
        set dstaddr "SRV-FortiAuthenticator"
        set action accept
        set schedule "always"
        set service "HTTPS" "ALL_ICMP" "HTTP"
        set logtraffic all
        set captive-portal-exempt enable
    next
end
After the user has successfully authenticated to the captive portal of the FortiAuthenticator, a web page appears with the IP of the FortiGate (with the IP of the Guest):
sorry for the bad resolution!
If the user clicks on "Send anyway" the google page appears and the navigation works.
Thanks
Andrea
Hi Lazar,
this is my configuration:
config system interface   
   edit "GUEST"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping
        set alias "200"
        set security-mode captive-portal
        set security-external-web "https://guestportal.guest.com/portal/"
        set security-redirect-url "https://www.google.com/"
        set security-exempt-list "GUEST-exempt-list"
        set security-groups "RADIUS-Guest"
        set device-identification enable
        set snmp-index 48
        set interface "port6"
        set vlanid 200
    next
end
config firewall policy
    edit 400
        set name "Guest_to_FortiAuthenticator"
        set srcintf "GUEST"
        set dstintf "LAN-FortiAuthenticator"
        set srcaddr "LAN-GUEST"
        set dstaddr "SRV-FortiAuthenticator"
        set action accept
        set schedule "always"
        set service "HTTPS" "ALL_ICMP" "HTTP"
        set logtraffic all
        set captive-portal-exempt enable
    next
end
config user setting
    set auth-type http https
    set auth-cert "Fortinet_Factory"
    set auth-timeout 15
endThe user successfully authenticates to the captive portal on the FortiAuthenticator, but then this page appears:
Sorry for bad resolution.
If the user clicks on "send anyway" the google page appears and the navigation works.
I want to remove this page beacause all the rest of configuration works correctly.
Thanks
Andrea
I configured the authentication settings on FortiGate:
config firewall auth-portal
    set portal-addr "firewall.mydomain.net"
end
config user setting
    set auth-type http https
    set auth-cert "wildcard_mydomain_net_2023"
    set auth-secure-http enable
    set auth-timeout 15
end
config system dns-database
    edit "mydomain.net"
        set domain "mydomain.net"
        set authoritative disable
        set forwarder "1.1.1.1" 
        config dns-entry
            edit 1
                set hostname "guestportal"
                set ip x.x.x.x
            next
            edit 2
                set hostname "firewall"
                set ip x.x.x.x
            next
        end
    next
end
config system dns-server
    edit "GUEST"
    next
endBut now any user fails to authenticate on the portal....
I'm desperate...
The last chace is update the FortiAuthetnticator to version 6.4.1.
ac1
Hey ac1,
Did you set the portal-address in FortiGate recently?
FortiAuthenticator captive portal policies rely on IP or hostname of the FortiGate to match, and if you set a portal address on FortiGate, you have to create/edit an access point in the portal policy on FortiAuthenticator to contain that address, NOT the IP.
Check under https://<FortiAuthenticator>/debug - there should be 'RADIUS Authentication in the drop-down menu'. It will contain requests like 127.0.0.1->127.0.0.1, with NAC_Identifier FAC_GUEST; that's the captive portal authentication bit.
Check if there is an error like 'AP does not match policy x'.
There were 3 different problems. I had to:
Now everything is working correctly.
guest user registration -> sending mail to the sponsor -> guest user authorization by the sponsor -> credentials arrive to the guest user -> guest user login -> navigation without error pages.
I have become an expert on this subject. if you need write me and I will be happy to help.
Hello ac1,
I post a topics few days ago ( https://community.fortinet.com/t5/Fortinet-Forum/Fortigate-wifi-external-portal-authentication-with/... ) and I was in the same your situation. With useful tips from Debbie_FTNT and other I have come to your own conclusions ( the only different it's the DNS record of Fortigate signed in my filehost not in DNS server for testing .. ) . But the problem it's to connect the Apple device, MacOS and iOS devices.. For they don't appear the captive portal .. and also if i open a browser manualy don't show anything and i can't authenticat..
Do you try with this devices?
Regards
Fabio
Why you remove the last point "in the radius authentication, removing the membership group from the FortiGate " ?
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.