Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
naltakeb
New Contributor

Captive Portal issue for Users Over Site to Site IPSec VPN

 

branch user --> 80F FW ==> IPSEC VPN ==> 1100E FW ==> Captive Portal ==> Internet

 

Common issue with the example scenario:

A common issue when configuring Captive Portal for this sample scenario is that Captive Portal does not work perfectly for vpn users behind 80F FW that come over the site-to-site IPSec vpn to the 1100E FW in order to access the internet. Common symptoms are:

  • Site-to-site vpn is up and working
  • Captive Portal works perfectly for local users behind 1100E FW
  • Captive Portal works for local users behind 80F FW but some image on Web Captive Portal do not appear perfectly 
2 REPLIES 2
sharmaj
Staff
Staff

Hello,

 

Regarding this:

  • Captive Portal works for local users behind 80F FW but some images on Web Captive Portal do not appear perfectly 

Is it only about image not being appearing perfectly or the user does not get to authenticate as well?

 

If it is about imperfection in the image, please try to inspect by right-clicking on the browser and check under the network tab, reload the page and check if you see any error per se.

Jay sharma
xsilver_FTNT
Staff
Staff

Personally I'm not a big fanboy of a Captive Portals, unless they are there for some reason like Disclaimer page, or email collector on FGT. Especially as they usually affect all the traffic passing through interface and handling exceptions is a bit painful. So I prefer per-policy identity and authentication handling. Which allows me to use stuff like FSSO, auth session inheritance for eg. from VPN so user do not need to authenticate multiple times, etc.

Another thing is that Captive portals are usually on ingress side (as below) not on egress.
Users - PC - Captive portal - interface - FGT...

 

Not sure I'd clearly connect missing images to captive portal. How about to have some more solid proof via debug, at least something like 'flow debug'. Which could be even filtered to specific site or image source, in case the issue is at least somehow reproducible and not completely random and intermittent.

If you have some evidence, then I'd suggest to open TAC ticket on it.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors