Hello,
I read carefully topics here, but could not find working solution.
I have a FG-40F test unit, made a vlan on it (99) with pool 192.168.200.0/24 FG has 192.168.200.1 address
On this vlan I set up captive portal like this:
If I set as excempt DNS service here, it disappears on next interface opening
On this stage I use internal users, created on FG unit.
DNS is set = Same as interface IP, so I assume it is 192.168.200.1
I also added a policy for DNS to go outside for unauthorized users (src=vlan, dst = wan):
Also I made a letsencrypt certificate for this domain and made a static dns entry:
The problem is that on different types of devices it operates different way, but works only on iPhone - when I can by opening some websites trigger appearance of login window in browser to authenticate. On Mac it is also sometimes working through browser.
But on Android I usually see:
1) Message:
ERR_NAME_NOT_RESOLVED
2) In case if I disable https authentication I even see on Android auth popup but with no content:
The web page at http://192.168.200.1:1000/fgtauth?02070a9b050b7540 could not be loaded because:
net::ERR_HTTP_RESPONSE_CODE_FAILURE
The questions are:
1) How to see login page by connecting to wifi on Apple | Android | Windows without any actions, like it works usually? And without opening browsers. As an AP there is Unifi configured with wlan on 99 vlan - so device gets dhcp params from FG well
2) How to fix Letsencrypt certificate so portal could work on https without certificate notices?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Alex
For your first question I think this post can help.
https://community.fortinet.com/t5/Support-Forum/Active-portal/td-p/303069
Side note, but Apple tech support is awesome. The person I spoke with was knowledgeable and did a great job helping me troubleshoot. It's really nice being able to just chat with them through iMessage at a moment's notice, I almost can't believe they do it for free considering how in-depth and responsive they were.
For now I got:
1. Portal can have LE certificate:
config firewall auth-portal
set portal-addr "fqdn"
end
config user setting
set auth-secure-http enable
set auth-cert "LE"
end
2. Also logic of checking connectivity by portal works a bit other way, so there should be opened some addresses as exempt-dst: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Stop-the-captive-portal-triggering-i...
3. Message:
ERR_NAME_NOT_RESOLVED on ANDROID apears due to DoH. I could disable it only partially, popup window still produces this message. Also better is to disable safe browsing in Chrome :)
So, now I see empty popup on Apple devices and DNS Error on Android - in case of popup authentication windows
4. Authentication works in browser (Safari / Chrome) - but to get a screen with login data you have to input to the address 255.255.255.0 - and this magic works :)
5. When auth form opens, it looks like a popup just with login and password, but no design like it has to be normally. Do not understand why
Will check a couple of things later
But this anyway looks very strange as soon as also is impossible to use DNS redirection, like even made on many much cheaper Mikrotik devices
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.