Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Captive portal and certificates
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Captive portal and certificates
Today, without doing anything my captive portals does not work anymore.
Both IE and Chrome give me a message about wrong certificate but after I force a reconnect I cannot access to login page.
The page seems expired (I think it is really expired because of IE and Chrome reconnection).
With Firefox I can add the exception and after that it works.
I suppose that IE and Chrome stops the session thinking about a Man in the Middle attack and ask me for a confirm. When I confirm they reload the page but the Captive portal session is meantime expired and the page is not reachable.
With Chrome if I try to open a HTTP site without HSTS it works (no man in the middle detection).
My two captive portals work on two private network 10.40.... and 10. 41.... and the portal is in these LAN. How can I solve my problem? I assume the computers connected being guest computer without chance to install some certificate or private CA auth.
Graziano.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We also have the same problem, so many users are complaining. Does anyone have a solution to this?
FG-500D v5.2.3,build670 (GA)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In IE I must insert the site in trusted site and after several attempts (restarting IE) it shows me login page. Then I can login.
But this is a workaround...
Regards,
Graziano.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
somehow I missed this thread. Chrome (and I suppose also others will be following) started to require SAN DNS in certificate for hostname check. In older releases, you can add your own certificate in auth portal (with correct FQDN in cert DNS SAN), or you can use 5.6.x, which will generate auth portal certificate on its own.
Do a simple check: see details of untrusted certificate. If it's missing Subject Alternative Name DNS which matches your auth portal FQDN, then it's this what I am talking about.
Regards,
Fishbone)(
smithproxy hacker - www.smithproxy.org
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Fishbone,
I don't have any FQDN for guest LAN because I cannot access any internal DNS to resolve it. I have setted up two LAN 10.40.X.X and 10.41.0.0 and the client try to connect to 10.40/1.0.1:1003 to authenticate.
The certificates with problems seems to be CA CN=support. The message of Chrome is:
"This CA Root certificates is not trusted because it is not in the trusted root certification Auth store."
After I add it in the Trusted store the browsers tells me the certificates has problem because the hostname differs from website.
But I need this Wifi for Guest. I cannot ask to him to install CA certificate before to connect. I cannot make guest client to connect to my LAN in order to verify the CA.
Do I have to install a real certificates with host-name as the ip?
And can I link to different captive portals in different LAN?
Regards,
Graziano.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Graziano,
guest access... you can't ask folks to install your CA as trusted CA, that's clear. In that case you can't redirect HTTPS internet connection attempts to portal without certificate warning, because the redirection must be inspected, and replaced with redirection to your portal.
I am afraid there is no perfect solution to this.
What you can do is to prevent Fortigate to touch HTTPS at all. You can remove https from:
config user setting set auth-type http https ftp telnet end
... but this will affect whole VDOM.
Alternatively, you can create a new VDOM for guests, and make this change there. Result will be guest timeouts on attempts to access https internet, but it will redirect to portal plain unencrypted http. Not nice, but alternative approach without cert warnings.
Once redirected to portal, you need to trust the HTTPS site (you can use plaintext logon portal, but I guess you don't want it). Because the redirection to IP address would require IP address in certificate and no commercial CA would issue certificate with private IP in SAN, I suggest to: - allow DNS for guests (you can have DNS server on Fortigate, too)
- register some DNS domain with suitable name
- create some A record with suitable name pointing to your private IP address to portal
- buy certificate for that A record FQDN
- install this certificate into Fortigate and use it for portal
=>
Guest access:
1/ https is silent for unauth guests
2/ http access will be redirected to https portal, without cert warnings
3/ guest authenticates
4/ https (and overall internet access) will start to work according to your policies
As I said, not perfect, but for someone better than to see cert warnings. Matter of taste and preference...
hth,
Fishbone)(
smithproxy hacker - www.smithproxy.org
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you can do is to prevent Fortigate to touch HTTPS at all. You can remove https from: config user setting set auth-type http https ftp telnet end ... but this will affect whole VDOM.
This solution satisfies me because I have no other user auth in my LAN. Only this for Guest Wifi LANs.
Thanks.
Regards,
Graziano.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Purchase a trusted certificate or build a Enterprise level PKI on the CN and ALtName most if not every browser is NOT looking at the CN if the AltName is present as said earlier you need to be aware of this.
http://socpuppet.blogspot.com/2017/11/cn-and-subject-alternative-names-in.html
The problem in the op is really at the web-browser and security level. Deploying a proper certificate that's trusted will fix your issues and ensure it's in your trusted store.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i don't fully agree. yes for the eventual page a good certificate helps solving that message.
but for the initial redirect on HTTPS requests there is no solution. you can't provide the correct certificate for the https://www.google.com request which get then redirected to the captive portal page.
you agree emnoc?
it would help if FortiGate would document this well. it isn't there fault or issue, this is just how SSL is supposed to work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
boneyard wrote:but for the initial redirect on HTTPS requests there is no solution. you can't provide the correct certificate for the https://www.google.com request which get then redirected to the captive portal page.
Is there a way to simply disable the https -> https redirect?
So we get a [link]http://www.google.de[/link] -> [link]https://captiveportalloginpage[/link] without warnings and for [link]https://www.google.de[/link] it just does not connect until the user ist authenticated?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,693 -
FortiClient
1,762 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
431 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.