Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tva79
New Contributor

Captive portal attached to an interface but after authentication browser go loop

Hi all,

 I have attached a Captive Portal to my lan interface with a local group authentication.

 

From a pc client, when I open the browser for digit any website, the Fortinet login appear (correct)

 

I insert my username and password (correct)

 

Fortigate accept my credentials because I can see my user from "Monitor" -> "Firewall User Monitor" (correct)

 

the problem is now because in address bar of the browser, I can see a continuous loop of the address:

 

http://172.16.0.X/fgtauth?092321232323cdw2

http://172.16.0.X/fgtauth?021372123435ed82

http://172.16.0.X/fgtauth?010032723341c889

http://172.16.0.X/fgtauth?0933423487fd0fc44

 

and the website that I asked don't open.

 

Also if I open another tab in Chrome, I can see the same loop with the magic token that change continually.

 

Can I solve or debug this big problem?

 

I haven't found any documentation about diagnostic of Captive Portal feature.

 

thanks!

Andrea

 

 

 

 

 

 

 

1 Solution
thende

Hi guys.

 

I've fixed it with the following:

 

config user setting set auth-src-mac disable end

 

I think that by default Fortigate will also check on the mac address of the client trying to authenticate and if the client is behind a router before reaching the firewall the loop is the behavior we'll see. That setting above disables it.

View solution in original post

13 REPLIES 13
garylau
New Contributor

After upgraded to FortiOSv6.0 also face your problem.

My environment is Notebook>Wifi AP>FW

User after login success in (IE,Chrome,Firefox), the number at end of link path change continuous.

[link]http://172.16.0.X/fgtauth?[/link]040b0181b0ea850a

[link]http://172.16.0.X/fgtauth?[/link]xxxxxxxxxxxxxxxxx

Is there any changed in FortiOSv6.0? or bugs?

TuncayBAS

maybe bug.

 

update to 6.0.3

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5
garylau

Thanks~

But already in FortiOS v6.0.3

IOS
New Contributor

Hello friends,

I also have the same problem.

I haven't found the solution yet.

SteveRoadWarrior
New Contributor III

same here.  we use this more than you'd think to provide limited access to back end systems.

 

any leads on workarounds?

thende

Hi guys.

 

I've fixed it with the following:

 

config user setting set auth-src-mac disable end

 

I think that by default Fortigate will also check on the mac address of the client trying to authenticate and if the client is behind a router before reaching the firewall the loop is the behavior we'll see. That setting above disables it.

garylau
New Contributor

Thanks thende

Fixed It's works for me~

Fortinotbad

Hey guys,

 

I need to warm up this thread a little bit. 

In our company we are running a cluster of 2 Fortigate 800D running 6.0.5 with FSSO configured (preferred method of authentication) and an LDAP user authentication as a fallback solution in case the FSSO doesn't work. 

 

Now we are facing a similar issue like the thread starter when some (randomly picked) users are authenticating against LDAP over the captive portal. The users try to access the internet, LDAP authentication page appears, users type in their valid user credentials and press enter. Now the authentication keepalive is active and they should be able to browse the internet by opening a new tab/window. Unfortunately, doing so results in the very same authentication keepalive page opening up over and over again with every new tab. Accessing the internet isn't possible this way. 

 

Now the solution mentioned by thende seems just to be the way to go for me but I'm a little afraid to enter this command as I am unaware of the impact it would have. Currently we have roughly 1,900 authenticated users passing through the firewall and I'd really like to avoid kicking all of them out by entering this command ;)

 

Long story short: What kind of impact can be expected by entering this command in total?

Since we upgraded from 5.4.10 to 5.6.9 to 6.0.5 in one day only two weeks ago and "set auth-src-mac" was disabled all the time in our previous running version 5.4.10, I don't think I would disable a very important feature. Nevertheless I'd like to know as much as possible about the expected impact on the users and the whole Fortigate cluster.

 

Really appreciate your input, thanks a lot and best regards!

 

 

Alivo__FTNT

auth-src-mac >  Source MAC check for firewall authentication as an enhancement of security. It is not compulsory.

[size="2"]It can cause issues described above if source MAC is changed after authentication. This would occuredon hosts that don't have FortiGate as their gateway. I can't see any negative impact on user experience after disabling this option. [/size]

 

livo

Labels
Top Kudoed Authors