Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Apple Devices with Captive Portal
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apple Devices with Captive Portal
Having had quite a few issues, there is one annoying one that is remaining, I have a Fortigate running an SSID using the FAC as the Portal for registration etc, which is working fine on Android, Laptops etc. but any apple device when selecting the SSID redirects to the "captive.apple.com" page on the phones and displays the message "Hotspot login, cannot open the page, the server cannot be found"
if the user browses to this captive address you do get the "success" message. Im raising this here as there are a few articles that tell you , on the Fortigate to "exempt" captive.apple.com from the SSID, which I have done. this article: Captive Portal on Apple devices - Fortinet Community doesnt do anything, is anyone able to offer some assistance? is this because the iphone has cellular data turned on or related setting?
thanks
Labels:
- Labels:
-
FortiAuthenticator
-
FortiGate
- « Previous
- Next »
22 REPLIES 22
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll need a tool to check certificates sent by the server (FAC). As said, just browsing FortiAuthenticator from the end station without a captive portal has to work without issues.
You can use OpenSSL to check from within the guest network, unauthenticated, as to what FortiAuthenticator sends. You can either install it directly on Windows or use it from within WSL on Windows or from Linux natively. Command to use:
openssl s_client -connect fortiauthenticator.fqdn.local:443
expected output for sample:
openssl s_client -connect community.fortinet.com:443 -tls1_2
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = Texas, L = Austin, O = "Khoros, LLC", CN = secure03.lithium.com
verify return:1
---
Certificate chain
0 s:C = US, ST = Texas, L = Austin, O = "Khoros, LLC", CN = secure03.lithium.com
i:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 27 00:00:00 2025 GMT; NotAfter: Jul 28 23:59:59 2026 GMT
1 s:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 30 00:00:00 2021 GMT; NotAfter: Mar 29 23:59:59 2031 GMT
whereas 0 = your FortiAuthenticator certificate, 1 = the intermediate that signed FortiAuthenticator certificate (0). Maybe there are more. FAC is however expected to send every certificate in the chain, except the root CA, which should already be on the client.
Please share the output, that might help.
Also make sure that these are in place (iPhones seem to require this and I didn't see it confirmed yet):
config user setting
set auth-secure-http enable
end
- Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I have "set auth-secure-http enable" here is the output from openssl:
Can see an error "Verify return code: 20 (unable to get local issuer certificate)"
C:\Users\XXXXXXj>openssl s_client -connect myfacfqdn:443
Connecting to 10.31.1.212
CONNECTED(0000015C)
depth=2 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Ce
rtificate Authority - G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.god
addy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 CN=myfacfqdn
verify return:1
---
Certificate chain
0 s:CN=myfacfqdn
i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godadd
y.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Feb 19 18:35:11 2025 GMT; NotAfter: Mar 23 18:35:11 2026 GMT
1 s:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godadd
y.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certi
ficate Authority - G2
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: May 3 07:00:00 2011 GMT; NotAfter: May 3 07:00:00 2031 GMT
2 s:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certi
ficate Authority - G2
i:C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authori
ty
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Jan 1 07:00:00 2014 GMT; NotAfter: May 30 07:00:00 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
REMOVED CERT
-----END CERTIFICATE-----
subject=CN=myfacfqdn
issuer=C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.goda
ddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Peer Temp Key: X25519, 253 bits
---
SSL handshake has read 4725 bytes and written 1630 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: BDD570DD7FCBDF286CFC66C801995A409C9D64C2814EBB3DFA7C9AA134D62533
Session-ID-ctx:
Resumption PSK: 5A307FFBB8E01A6F9B3672B31BCD08B4D53755CB8DBD683FB9A622220739
8D86
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0010 - ce 42 3c 1e 71 07 d3 34-10 4a 98 e9 82 fb c3 91 .B<.q..4.J......
0020 - 05 3f 07 ce c9 7b df 2b-0a 1c ce 69 fb 54 5f 96 .?...{.+...i.T_.
0030 - 7a 57 7b e0 df 72 99 35-ab 60 9b 0f 94 45 41 e9 zW{..r.5.`...EA.
0040 - 3a f0 b5 11 e2 4a f1 61-d1 53 9c 2f 15 29 89 b2 :....J.a.S./.)..
0050 - 21 4b c2 1e f1 f6 be 14-a4 2b d0 ec a4 38 d2 52 !K.......+...8.R
0060 - e0 11 30 ec c3 95 37 0d-d5 93 3c 7a 28 99 8d d3 ..0...7...<z(...
0070 - fe 19 a1 4e 85 67 cb cb-32 8d 67 8d b8 9c 0d 69 ...N.g..2.g....i
Start Time: 1760443305
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have nothing on that setting.
- « Previous
- Next »
Labels
-
FortiGate
10,749 -
FortiClient
2,197 -
FortiManager
901 -
5.2
687 -
FortiAnalyzer
687 -
5.4
638 -
FortiSwitch
593 -
FortiClient EMS
578 -
FortiAP
567 -
IPsec
438 -
6.0
416 -
SSL-VPN
390 -
FortiMail
378 -
5.6
362 -
FortiNAC
295 -
FortiWeb
256 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
202 -
FortiAuthenticator
182 -
FortiGuard
160 -
5.0
152 -
Firewall policy
147 -
FortiGate-VM
139 -
6.4
128 -
FortiCloud Products
118 -
FortiToken
114 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
91 -
Customer Service
88 -
FortiProxy
79 -
SAML
77 -
ZTNA
77 -
Routing
76 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
BGP
72 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
68 -
RADIUS
63 -
LDAP
63 -
FortiLink
58 -
SSO
57 -
NAT
55 -
FortiSandbox
53 -
FortiExtender
52 -
VDOM
50 -
4.0MR3
49 -
Interface
49 -
Application control
48 -
FortiDNS
43 -
Virtual IP
43 -
Logging
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
SSL SSH inspection
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
34 -
FortiWAN
31 -
FortiConverter
31 -
API
29 -
FortiGate v5.2
28 -
Traffic shaping
26 -
Static route
26 -
Fortigate Cloud
25 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
20 -
OSPF
20 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSoar
18 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
FortiAP profile
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2674 | |
| 1410 | |
| 810 | |
| 701 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.