- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Captive Portal - Account Delivery of Guest credentials
I have a working (99%) Captive portal, User gets a captive portal registration page, fills in a few details and then it is set for admin approval, the problem is, the user never gets sent the random password?
I have left the admin email address out on this screenshot, but, my understanding is, the admin gets an email to say "approve" and then the details get emailed to the guest?
when I hover over the "Account Delivery options available to the user" it says "Account information can not be displayed when admin approval is required"
does this mean, as soon as the admin approves, they have access? how would they know what the random password is? very confusing!
Thanks
- Labels:
-
FortiAuthenticator
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason I say that about the latter is that all a threat actor needs to do is stand up an AP with a honeypot that mimics your captive portal's login screen, and then goes to a page that says, "Oops, something went wrong. Click here to try again" and they can harvest AD credentials.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That doesn't answer either of my questions? How should this be setup?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After the approval, guest should receive its credentials via email or SMS as shown also here, 'The Display on browser page option is only available if administrator approval is not required'.
Is the SMTP server currently configured in FAC? There are some SMTP server that restrict the relay functions for the the external domains.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, its set to "email" and he did get an email about 10 minutes later! I wonder if SMS is quicker?
I can see he registers, gets put into the "GUEST" group on the FAC, and the Fortigate uses that group "remote server group" to authenticate, but the FAC logs show the error "Authentication failed: NAS cannot find user realm" the Realm is set to local! where the guest group is.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that the delay is added by the mail server or any email security in between. You can check from the FAC logs, network or on the server side, the email should leave FAC quickly.
I think that you shouldn't configure 'Restricted to Groups' in FGT in this case.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, That is something I need to look at, the delay is not acceptable, what about:
I can see he registers, gets put into the "GUEST" group on the FAC, and the Fortigate uses that group "remote server group" to authenticate, but the FAC logs show the error "Authentication failed: NAS cannot find user realm" the Realm is set to local! where the guest group is.. any idea?
Thanks