Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Captive portal issue - fails to open auth page



I read carefully topics here, but could not find working solution. 

I have a FG-40F test unit, made a vlan on it (99) with pool FG has address
On this vlan I set up captive portal like this:


If I set as excempt DNS service here, it disappears on next interface opening

On this stage I use internal users, created on FG unit.
DNS is set = Same as interface IP, so I assume it is
I also added a policy for DNS to go outside for unauthorized users (src=vlan, dst = wan):


 Also I made a letsencrypt certificate for this domain and made a static dns entry:


The problem is that on different types of devices it operates different way, but works only on iPhone - when I can by opening some websites trigger appearance of login window in browser to authenticate. On Mac it is also sometimes working through browser. 

But on Android I usually see:
1) Message: 

2) In case if I disable https authentication I even see on Android auth popup but with no content: 

The web page at could not be loaded because:




The questions are:
1) How to see login page by connecting to wifi on Apple | Android | Windows without any actions, like it works usually? And without opening browsers. As an AP there is Unifi configured with wlan on 99 vlan - so device gets dhcp params from FG well 
2) How to fix Letsencrypt certificate so portal could work on https without certificate notices? 


Hi Alex

For your first question I think this post can help.


New Contributor

Side note, but Apple tech support is awesome. The person I spoke with was knowledgeable and did a great job helping me troubleshoot. It's really nice being able to just chat with them through iMessage at a moment's notice, I almost can't believe they do it for free considering how in-depth and responsive they were.

router login 192.168.l.l
New Contributor III

For now I got:
1. Portal can have LE certificate:
config firewall auth-portal
set portal-addr "fqdn"
config user setting

set auth-secure-http enable
set auth-cert "LE"

2. Also logic of checking connectivity by portal works a bit other way, so there should be opened some addresses as exempt-dst: 
3. Message: 
ERR_NAME_NOT_RESOLVED on ANDROID apears due to DoH. I could disable it only partially, popup window still produces this message. Also better is to disable safe browsing in Chrome :)
So, now I see empty popup on Apple devices and DNS Error on Android - in case of popup authentication windows 
4. Authentication works in browser (Safari / Chrome) - but to get a screen with login data you have to input to the address - and this magic works :)
5. When auth form opens, it looks like a popup just with login and password, but no design like it has to be normally. Do not understand why 
Will check a couple of things later 
But this anyway looks very strange as soon as also is impossible to use DNS redirection, like even made on many much cheaper Mikrotik devices


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors