Hi all,
I have attached a Captive Portal to my lan interface with a local group authentication.
From a pc client, when I open the browser for digit any website, the Fortinet login appear (correct)
I insert my username and password (correct)
Fortigate accept my credentials because I can see my user from "Monitor" -> "Firewall User Monitor" (correct)
the problem is now because in address bar of the browser, I can see a continuous loop of the address:
http://172.16.0.X/fgtauth?092321232323cdw2
http://172.16.0.X/fgtauth?021372123435ed82
http://172.16.0.X/fgtauth?010032723341c889
http://172.16.0.X/fgtauth?0933423487fd0fc44
and the website that I asked don't open.
Also if I open another tab in Chrome, I can see the same loop with the magic token that change continually.
Can I solve or debug this big problem?
I haven't found any documentation about diagnostic of Captive Portal feature.
thanks!
Andrea
Solved! Go to Solution.
Hi guys.
I've fixed it with the following:
config user setting set auth-src-mac disable end
I think that by default Fortigate will also check on the mac address of the client trying to authenticate and if the client is behind a router before reaching the firewall the loop is the behavior we'll see. That setting above disables it.
After upgraded to FortiOSv6.0 also face your problem.
My environment is Notebook>Wifi AP>FW
User after login success in (IE,Chrome,Firefox), the number at end of link path change continuous.
[link]http://172.16.0.X/fgtauth?[/link]040b0181b0ea850a
[link]http://172.16.0.X/fgtauth?[/link]xxxxxxxxxxxxxxxxx
Is there any changed in FortiOSv6.0? or bugs?
maybe bug.
update to 6.0.3
Thanks~
But already in FortiOS v6.0.3
Hello friends,
I also have the same problem.
I haven't found the solution yet.
same here. we use this more than you'd think to provide limited access to back end systems.
any leads on workarounds?
Hi guys.
I've fixed it with the following:
config user setting set auth-src-mac disable end
I think that by default Fortigate will also check on the mac address of the client trying to authenticate and if the client is behind a router before reaching the firewall the loop is the behavior we'll see. That setting above disables it.
Thanks thende
Fixed It's works for me~
Hey guys,
I need to warm up this thread a little bit.
In our company we are running a cluster of 2 Fortigate 800D running 6.0.5 with FSSO configured (preferred method of authentication) and an LDAP user authentication as a fallback solution in case the FSSO doesn't work.
Now we are facing a similar issue like the thread starter when some (randomly picked) users are authenticating against LDAP over the captive portal. The users try to access the internet, LDAP authentication page appears, users type in their valid user credentials and press enter. Now the authentication keepalive is active and they should be able to browse the internet by opening a new tab/window. Unfortunately, doing so results in the very same authentication keepalive page opening up over and over again with every new tab. Accessing the internet isn't possible this way.
Now the solution mentioned by thende seems just to be the way to go for me but I'm a little afraid to enter this command as I am unaware of the impact it would have. Currently we have roughly 1,900 authenticated users passing through the firewall and I'd really like to avoid kicking all of them out by entering this command ;)
Long story short: What kind of impact can be expected by entering this command in total?
Since we upgraded from 5.4.10 to 5.6.9 to 6.0.5 in one day only two weeks ago and "set auth-src-mac" was disabled all the time in our previous running version 5.4.10, I don't think I would disable a very important feature. Nevertheless I'd like to know as much as possible about the expected impact on the users and the whole Fortigate cluster.
Really appreciate your input, thanks a lot and best regards!
auth-src-mac > Source MAC check for firewall authentication as an enhancement of security. It is not compulsory.
[size="2"]It can cause issues described above if source MAC is changed after authentication. This would occuredon hosts that don't have FortiGate as their gateway. I can't see any negative impact on user experience after disabling this option. [/size]
livo
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.