Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Captive portal Authentication with Google
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Captive portal Authentication with Google
I am trying to configure an Captive Portal employee SSID on a Fortigate 60F that would allow users to sign-in with their Google Workspace email address to sign them in. Is it possible? Any help would be appreciated. We don't have FortiAuthenticator so option will not work for us. FortiGate FortiManager
FortiGate
FortiGate
FortiManager
FortiManager
Labels:
- Labels:
-
FortiGate
-
FortiManager
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @VirgilW ,
Have a look at this article and let me know if this is the solution you are looking for.
Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you think I could replace the SSID IP Interface (SP) with the IP address on the Internal Facing Interface and turn on the Captive portal on that, and then Google SAML SSO will because the captive portal for ALL users hitting that interface (SP)? That way, all users who are part of a Google group are automatically authenticated with a Security Profile applied to those groups, which means they could then get different security. I could also exempt any devices that I want to have internet access no matter what. That way, I am applying different levels of a security profile, for instance, Student and Staff groups, once authenticated (And since Google is the SAML SSO if they are already logged in, they just get their security profile based on their group), and then all exempt Subnets get approval. I think switching it this way is possible, but I just want to conform.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! I have the same scenario and I have a problem that I couldn't resolve.
I allowed Google-Web services for the login, but this allow the access to connectivitycheck.gstatic.com too. So, Android phones not know that they have to login in captive portal.
I tried some configurations: blocking URL, changing DNS resolutions, etc, but couldn't resolve that. Could you?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Emandel ,
I am not sure what do you mean with "allow the access to connectivitycheck.gstatic.com too. So, Android phones not know that they have to login in captive portal."
Can you try with a different browser on your android phone ?
Usually, errors happen due to misconfiguration. Verify your configuration with the link above and try to run the debugs at the end of the article as you might understand more about the issue of failure.
Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! Thanks for your answer.
The problem is Android phones check Internet connectivity doing a GET to http://connectivitycheck.gstatic.com/generate_204.
- If it returns OK, it means the wifi network is working OK (Android says "Connected")
- If it returns a redirect (302), it means the wifi network is forwarding to a captive portal (the mobile phone detects that you have to login and says "Sign in to network")
- If it hasn't response, it means there isn't connectivity ("Connected without Internet")
If you allow the "Google-Web" Internet Service, you are allowing this GET too... so, Android doesn't know that you have to sign in and says "Connected". The users connect to the network and don't know they haven't Internet until they want to navigate. Certainly, they try to navigate on HTTPS pages, which causes the redirection to the captive portal to warn of an invalid certificate. If only Android could natively open the portal, this wouldn't happen.
I tried denying the destination with a FQDN Address but the IP address is shared with accounts.google.com and users can't login.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for clarifying.
It looks like when the google authentication policy is enabled it overlaps with some FQDN that android needs to check regarding the captive portal.
If android in your case is using HTTP to perform his checks you can try a possible workaround to specify only "HTTPS" on the Google's authentication policy and see the behavior.
Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you very much! Finally I tried creating the policy allowing *.google.com and *.gstatic.com only with HTTPS service. This worked very good!!
Thank you very much
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello again, just wanted to mention that I was having some issues with certain devices (Mac and Chromebook). Using an old FortiAuthenticator documentation, I seem to have found the ultimate solution:
- Firewall policy allowing DNS request
- Firewall policy allowing HTTPS service to the next destinations:
- www.googleapis.com
- accounts.google.com
- ssl.gstatic.com
- fonts.gstatic.com
- 172.217.9.0/24
- 216.58.192.0/19
- accounts.google.com.ar (because I am from Argentina)
We are still testing, but it seems to be working fine now!!
Hopefully, it will be useful to someone.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Problem with Configure SAML SSO for... 204 Views
- Captive portal issue 2513 Views
- FortiNAC Captive Portal using Azure AD... 670 Views
- FORTIGATE SESSION BASED AUTHENTICATION INSTEAD OF... 426 Views
- Fortigate with FortiAuthenticator: 2FA on virtual... 359 Views
Labels
-
FortiGate
8,500 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
309 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.