Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VirgilW
New Contributor

Captive portal Authentication with Google

I am trying to configure an Captive Portal employee SSID on a Fortigate 60F that would allow users to sign-in with their Google Workspace email address to sign them in. Is it possible? Any help would be appreciated. We don't have FortiAuthenticator so option will not work for us. FortiGate FortiManager 

6 REPLIES 6
dbu
Staff
Staff

Hi @VirgilW ,

Have a look at this article and let me know if this is the solution you are looking for. 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-Wi-Fi-configuration-with-Google-...

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Emandel
New Contributor II

Hi! I have the same scenario and I have a problem that I couldn't resolve.

 

I allowed Google-Web services for the login, but this allow the access to connectivitycheck.gstatic.com too. So, Android phones not know that they have to login in captive portal.

 

I tried some configurations: blocking URL, changing DNS resolutions, etc, but couldn't resolve that. Could you?

dbu

Hi @Emandel ,

I am not sure what do you mean with "allow the access to connectivitycheck.gstatic.com too. So, Android phones not know that they have to login in captive portal.

Can you try with a different browser on your android phone ?


Usually, errors happen due to misconfiguration. Verify your configuration with the link above and try to run the debugs at the end of the article as you might understand more about the issue of failure.  

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Emandel
New Contributor II

Hi! Thanks for your answer.

The problem is Android phones check Internet connectivity doing a GET to http://connectivitycheck.gstatic.com/generate_204.

- If it returns OK, it means the wifi network is working OK (Android says "Connected")

- If it returns a redirect (302), it means the wifi network is forwarding to a captive portal (the mobile phone detects that you have to login and says "Sign in to network")

- If it hasn't response, it means there isn't connectivity ("Connected without Internet")

 

If you allow the "Google-Web" Internet Service, you are allowing this GET too... so, Android doesn't know that you have to sign in and says "Connected". The users connect to the network and don't know they haven't Internet until they want to navigate. Certainly, they try to navigate on HTTPS pages, which causes the redirection to the captive portal to warn of an invalid certificate. If only Android could natively open the portal, this wouldn't happen.

 

I tried denying the destination with a FQDN Address but the IP address is shared with accounts.google.com and users can't login.

dbu

Thank you for clarifying. 

It looks like when the google authentication policy is enabled it overlaps with some FQDN that android needs to check regarding the captive portal. 
If android in your case is using HTTP to perform his checks you can try a possible workaround to specify only "HTTPS" on the Google's authentication policy and see the behavior.

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Emandel
New Contributor II

Hi, thank you very much! Finally I tried creating the policy allowing *.google.com and *.gstatic.com only with HTTPS service. This worked very good!!

 

Thank you very much

Labels
Top Kudoed Authors