Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ac1
Contributor II

Created on ‎02-04-2022 08:51 AM

After authentication a fortigate page appears

Hello everyone,
When a guest user authenticates via the captive portal, a FortiGate page appears on the browser with the address ---> http://192.168.x.x:1000/fgtauth
By pressing the "Send anyway" button you can navigate correctly.

How is it possible to remove this page?

Browser: Chrome
Captive Portal: FortiAuthenticator v6.1.2, build0420 (GA)

Thanks
Andrea

15374
0 Kudos
1 Solution
ac1
Contributor II
In response to Debbie_FTNT

Created on ‎02-25-2022 08:33 AM

There were 3 different problems. I had to:

  • set the Authentication Settings with wildcard public certificate and redirects
  • create an A record on the DNS Server with the IP of the FortiGate guest interface
  • create on FortiAuthenticator an AP with fqdn of the fortigate, not the ip or others
  • correct the radius authentication, removing the membership group from the FortiGate.

Now everything is working correctly.
guest user registration -> sending mail to the sponsor -> guest user authorization by the sponsor -> credentials arrive to the guest user -> guest user login -> navigation without error pages.

 

I have become an expert on this subject. if you need write me and I will be happy to help.

 

View solution in original post

15182
11 REPLIES 11
lmarinovic
Staff
Staff

Created on ‎02-07-2022 02:10 PM

Hello Andrea,

 

You can check this KB:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-secure-authentication-HTTPS-on-a-For...

 

Look at the part after 2nd point.

 

"Reminder: The HTTPS redirect function and port can be configured from the following CLI commands:

#config user setting
    set auth-secure-http enable  (default = disable)"
Try to configure secure https on FortiGate. If on the other hand you get certificate warning, you can take a look at the next part about certificates and how to workstation needs to trust the website.

 

Best regards,

 

Lazar Marinovic

 

Best regards

Lazar Marinovic
13880
0 Kudos
lmarinovic
Staff
Staff

Created on ‎02-07-2022 02:23 PM

Also you can crosscheck Security Mode Settings and Authentication under interface settings. Did you put portal type to Authentication and External Authentication portal and then FAC address.

 

And also did you did the "set captive-portal-exempt enable" on policy?

 

Take a look at this KB if you didn't:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-Captive-Portal-Exemption-on/...

 

Best regards,

 

Lazar Marinovic

Best regards

Lazar Marinovic
13877
0 Kudos
ac1
Contributor II
In response to lmarinovic

Created on ‎02-08-2022 02:23 AM

Hi Lazar,

this is my configuration:

config system interface   
   edit "GUEST"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping
        set alias "200"
        set security-mode captive-portal
        set security-external-web "https://guestportal.guest.com/portal/"
        set security-redirect-url "https://www.google.com/"
        set security-exempt-list "GUEST-exempt-list"
        set security-groups "RADIUS-Guest"
        set device-identification enable
        set snmp-index 48
        set interface "port6"
        set vlanid 200
    next
end

config firewall policy
    edit 400
        set name "Guest_to_FortiAuthenticator"
        set srcintf "GUEST"
        set dstintf "LAN-FortiAuthenticator"
        set srcaddr "LAN-GUEST"
        set dstaddr "SRV-FortiAuthenticator"
        set action accept
        set schedule "always"
        set service "HTTPS" "ALL_ICMP" "HTTP"
        set logtraffic all
        set captive-portal-exempt enable
    next
end

 

After the user has successfully authenticated to the captive portal of the FortiAuthenticator, a web page appears with the IP of the FortiGate (with the IP of the Guest):

error.png

 

sorry for the bad resolution!

If the user clicks on "Send anyway" the google page appears and the navigation works.

 

Thanks

Andrea

13843
0 Kudos
ac1
Contributor II

Created on ‎02-08-2022 06:56 AM

Hi Lazar,

this is my configuration:

 

config system interface   
   edit "GUEST"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping
        set alias "200"
        set security-mode captive-portal
        set security-external-web "https://guestportal.guest.com/portal/"
        set security-redirect-url "https://www.google.com/"
        set security-exempt-list "GUEST-exempt-list"
        set security-groups "RADIUS-Guest"
        set device-identification enable
        set snmp-index 48
        set interface "port6"
        set vlanid 200
    next
end

config firewall policy
    edit 400
        set name "Guest_to_FortiAuthenticator"
        set srcintf "GUEST"
        set dstintf "LAN-FortiAuthenticator"
        set srcaddr "LAN-GUEST"
        set dstaddr "SRV-FortiAuthenticator"
        set action accept
        set schedule "always"
        set service "HTTPS" "ALL_ICMP" "HTTP"
        set logtraffic all
        set captive-portal-exempt enable
    next
end

config user setting
    set auth-type http https
    set auth-cert "Fortinet_Factory"
    set auth-timeout 15
end

The user successfully authenticates to the captive portal on the FortiAuthenticator, but then this page appears:

error.png

 

Sorry for bad resolution.

 

If the user clicks on "send anyway" the google page appears and the navigation works.

I want to remove this page beacause all the rest of configuration works correctly.

 

Thanks

Andrea

13843
0 Kudos
ac1
Contributor II

Created on ‎02-15-2022 08:38 AM

I configured the authentication settings on FortiGate:

config firewall auth-portal
    set portal-addr "firewall.mydomain.net"
end

config user setting
    set auth-type http https
    set auth-cert "wildcard_mydomain_net_2023"
    set auth-secure-http enable
    set auth-timeout 15
end

config system dns-database
    edit "mydomain.net"
        set domain "mydomain.net"
        set authoritative disable
        set forwarder "1.1.1.1" 
        config dns-entry
            edit 1
                set hostname "guestportal"
                set ip x.x.x.x
            next
            edit 2
                set hostname "firewall"
                set ip x.x.x.x
            next
        end
    next
end
config system dns-server
    edit "GUEST"
    next
end

But now any user fails to authenticate on the portal....

I'm desperate...

The last chace is update the FortiAuthetnticator to version 6.4.1.

 

ac1

13789
0 Kudos
Debbie_FTNT
Staff
Staff
In response to ac1

Created on ‎02-16-2022 04:10 AM

Hey ac1,

Did you set the portal-address in FortiGate recently?

FortiAuthenticator captive portal policies rely on IP or hostname of the FortiGate to match, and if you set  a portal address on FortiGate, you have to create/edit an access point in the portal policy on FortiAuthenticator to contain that address, NOT the IP.

 

Check under https://<FortiAuthenticator>/debug - there should be 'RADIUS Authentication in the drop-down menu'. It will contain requests like 127.0.0.1->127.0.0.1, with NAC_Identifier FAC_GUEST; that's the captive portal authentication bit.

Check if there is an error like 'AP does not match policy x'.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
13780
ac1
Contributor II
In response to Debbie_FTNT

Created on ‎02-25-2022 08:33 AM

There were 3 different problems. I had to:

  • set the Authentication Settings with wildcard public certificate and redirects
  • create an A record on the DNS Server with the IP of the FortiGate guest interface
  • create on FortiAuthenticator an AP with fqdn of the fortigate, not the ip or others
  • correct the radius authentication, removing the membership group from the FortiGate.

Now everything is working correctly.
guest user registration -> sending mail to the sponsor -> guest user authorization by the sponsor -> credentials arrive to the guest user -> guest user login -> navigation without error pages.

 

I have become an expert on this subject. if you need write me and I will be happy to help.

 

15183
Fabio
Contributor
In response to ac1

Created on ‎03-26-2022 12:42 AM

Hello ac1,

I post a topics few days ago ( https://community.fortinet.com/t5/Fortinet-Forum/Fortigate-wifi-external-portal-authentication-with/... ) and I was in the same your situation. With useful tips from Debbie_FTNT and other I have come to your own conclusions ( the only different it's the DNS record of Fortigate signed in my filehost not in DNS server for testing .. ) . But the problem it's to connect the Apple device, MacOS and iOS devices.. For they don't appear the captive portal .. and also if i open a browser manualy don't show anything and i can't authenticat..

Do you try with this devices?

 

Regards

 

Fabio

Fabio
Fabio
13264
0 Kudos
Fabio
Contributor
In response to Fabio

Created on ‎03-26-2022 12:43 AM

Why you remove the last point "in the radius authentication, removing the membership group from the FortiGate " ?

Fabio
Fabio
13263
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.