Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SC_Alex
New Contributor III

Created on ‎05-10-2024 08:44 AM

Captive portal issue - fails to open auth page

Hello, 

 

I read carefully topics here, but could not find working solution. 

I have a FG-40F test unit, made a vlan on it (99) with pool 192.168.200.0/24 FG has 192.168.200.1 address
On this vlan I set up captive portal like this:

captive-vlan99.jpg

If I set as excempt DNS service here, it disappears on next interface opening

On this stage I use internal users, created on FG unit.
DNS is set = Same as interface IP, so I assume it is 192.168.200.1
I also added a policy for DNS to go outside for unauthorized users (src=vlan, dst = wan):

policy.jpg

 Also I made a letsencrypt certificate for this domain and made a static dns entry:

dns.jpg

The problem is that on different types of devices it operates different way, but works only on iPhone - when I can by opening some websites trigger appearance of login window in browser to authenticate. On Mac it is also sometimes working through browser. 

But on Android I usually see:
1) Message: 
ERR_NAME_NOT_RESOLVED

2) In case if I disable https authentication I even see on Android auth popup but with no content: 

The web page at http://192.168.200.1:1000/fgtauth?02070a9b050b7540 could not be loaded because:

net::ERR_HTTP_RESPONSE_CODE_FAILURE

 

auth.jpg


The questions are:
1) How to see login page by connecting to wifi on Apple | Android | Windows without any actions, like it works usually? And without opening browsers. As an AP there is Unifi configured with wlan on 99 vlan - so device gets dhcp params from FG well 
2) How to fix Letsencrypt certificate so portal could work on https without certificate notices? 

Labels:
4058
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎05-11-2024 01:00 AM

Hi Alex

For your first question I think this post can help.

https://community.fortinet.com/t5/Support-Forum/Active-portal/td-p/303069

 

AEK
AEK
4014
0 Kudos
balibajar3
New Contributor

Created on ‎05-11-2024 02:46 AM

Side note, but Apple tech support is awesome. The person I spoke with was knowledgeable and did a great job helping me troubleshoot. It's really nice being able to just chat with them through iMessage at a moment's notice, I almost can't believe they do it for free considering how in-depth and responsive they were.

router login 192.168.l.l
router login 192.168.l.l
4003
0 Kudos
SC_Alex
New Contributor III

Created on ‎05-13-2024 10:24 AM Edited on ‎05-13-2024 10:31 AM

For now I got:
1. Portal can have LE certificate:
config firewall auth-portal
set portal-addr "fqdn"
end
config user setting
set auth-secure-http enable
set auth-cert "LE"
end
2. Also logic of checking connectivity by portal works a bit other way, so there should be opened some addresses as exempt-dst: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Stop-the-captive-portal-triggering-i... 
3. Message: 
ERR_NAME_NOT_RESOLVED on ANDROID apears due to DoH. I could disable it only partially, popup window still produces this message. Also better is to disable safe browsing in Chrome :)
So, now I see empty popup on Apple devices and DNS Error on Android - in case of popup authentication windows 
4. Authentication works in browser (Safari / Chrome) - but to get a screen with login data you have to input to the address 255.255.255.0 - and this magic works :)
5. When auth form opens, it looks like a popup just with login and password, but no design like it has to be normally. Do not understand why 
IMG_CBEF66F38038-1.jpeg
Will check a couple of things later 
But this anyway looks very strange as soon as also is impossible to use DNS redirection, like even made on many much cheaper Mikrotik devices

3909
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.