Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheOnlyJames
New Contributor III

Captive Portal - Account Delivery of Guest credentials

I have a working (99%) Captive portal, User gets a captive portal registration page, fills in a few details and then it is set for admin approval, the problem is, the user never gets sent the random password? 

 

I have left the admin email address out on this screenshot, but, my understanding is, the admin gets an email to say "approve" and then the details get emailed to the guest?

 

when I hover over the "Account Delivery options available to the user" it says "Account information can not be displayed when admin approval is required"

 

does this mean, as soon as the admin approves, they have access?  how would they know what the random password is? very confusing!

Thanks

 

Capture2.PNG

 

 

6 REPLIES 6
ryukseo
New Contributor

The reason I say that about the latter is that all a threat actor needs to do is stand up an AP with a honeypot that mimics your captive portal's login screen, and then goes to a page that says, "Oops, something went wrong. Click here to try again" and they can harvest AD credentials.

TheOnlyJames
New Contributor III

That doesn't answer either of my questions? How should this be setup?

ebilcari
Staff
Staff

After the approval, guest should receive its credentials via email or SMS as shown also here, 'The Display on browser page option is only available if administrator approval is not required'.

Is the SMTP server currently configured in FAC? There are some SMTP server that restrict the relay functions for the the external domains.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
TheOnlyJames

Yes, its set to "email" and he did get an email about 10 minutes later! I wonder if SMS is quicker?

 

I can see he registers, gets put into the "GUEST" group on the FAC, and the Fortigate uses that group "remote server group" to authenticate, but the FAC logs show the error "Authentication failed: NAS cannot find user realm"  the Realm is set to local! where the guest group is.

ebilcari

I think that the delay is added by the mail server or any email security in between. You can check from the FAC logs, network or on the server side, the email should leave FAC quickly.

I think that you shouldn't configure 'Restricted to Groups' in FGT in this case.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
TheOnlyJames

OK, That is something I need to look at, the delay is not acceptable, what about:

 

I can see he registers, gets put into the "GUEST" group on the FAC, and the Fortigate uses that group "remote server group" to authenticate, but the FAC logs show the error "Authentication failed: NAS cannot find user realm"  the Realm is set to local! where the guest group is.. any idea?

Thanks

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors