Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fiesta
New Contributor III

Captive Portal Auth but Login to FortiGate Instead 7.0.6

Dear Community,

 

I experience this weird issue when upgrading to 7.0.6

Here, basically, any user when trying to go to internet need to authenticate with active captive portal user will be redirect to http://fgtIPorfgtDomain:1000?tokenxxxxx

or  

https://fgtIPorfgtDomain:1003?tokenxxxxx

depend if you have HTTP or HTTPS.

 

The weird thing is, it shows fortigate admin login page instead of fortigate captive portal authenticate page, and the most weird of them all is user is capable of login and authenticate and enter fortigate admin page via existing configured LDAP.

 

fiesta_0-1658488774661.png

fiesta_1-1658488907569.png

That user is nowhere in administrator.

 

 

I took notice when user resolve the IP (because we using domain when captive portal shows up) to the fortigate which enabled https http ping ssh in it's administrative access and immediately disable the https, http, ssh access.

 

Have community ever experience?

Best regards.

FWD~

FWD~
FWD~
4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello fiesta,

 

Thank you for using the Community Forum.

 

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello fiesta,

 

I am still looking for an answer to your question.

Meanwhile, could you please check this document?:

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/5aa2f71c-e133-11ec-bb32-fa163e...

 

Regards,

 

 

Anthony-Fortinet Community Team.
fiesta
New Contributor III

I have read it doesn't seem to mention captive portal in known issue which is the same as my case, probably not listed or maybe not yet known.


Best reagrds.

FWD~
FWD~
pminarik
Staff
Staff

That seems like some very unfortunate misconfiguration. I would suggest to check the following:
1, Which ports are used for admin access: 

get sys global | grep "admin-port\|admin-sport"

2, Check for any VIPs that might accidentally be redirecting ports 1000/1003 to 80/443:

show firewall vip:

show fire vip | grep -f extport

 

Lastly, if an arbitrary LDAP user is able to log into the admin GUI, make sure to review all LDAP groups referenced in your administrator configs. This sounds like one of these groups is very permissive. (perhaps matching anyone in that LDAP?)

[ corrections always welcome ]
Labels
Top Kudoed Authors