Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rzanella
New Contributor III

Certificate error message when device is redirect to Captive portal

I managed to manually install on a PC to test the Persistent Agent. Now I can register the PC but I still have a problem: when I open the browser I get the message that I have to register. Before reaching the registration page I am informed that the connection is not secure. (NET::ERR_CERT_AUTHORITY_INVALID).

Once I accept the risk I can register. For authentication I use the domain user.
I also find log messages in the Persistent Agent logs:

2024-10-28 09:59:17 UTC :: peer CommonName = bradfordnetworks.com
2024-10-28 09:59:17 UTC :: Checking Peer name fortinac.mydomain.com against Common or Subject-alternative-name entry bradfordnetworks.com
2024-10-28 09:59:17 UTC :: Peer name "fortinac.mydomain.com" doesn't match "bradfordnetworks.com"
2024-10-28 09:59:17 UTC :: Refusing to connect to trust_DISTRUSTED fortinac.it-present.com|bradfordnetworks.com|09:6e:cf:15:bd:ea:b9:1e:26:21:75:d5:86:9a:8e:37:15:f5:d4:a9
2024-10-28 09:59:17 UTC :: Connection failed! 1


I installed the certificates as trusted.

I searched the documentation but was unable to resolve the issue.

 

Thanks in advance.

2 REPLIES 2
scitlak
Staff
Staff

Hello,

 

You probably use the default TLS certificate for your Persistent Agent in FortiNAC.

 

According to logs, PA tries to establish an SSL/TLS handshake with your FortiNAC but it fails since the FQDN is not in the CN or SAN of your Certificate.

 

Your FortiNAC FQDN should be in the Certificate`s SAN or CN. (in your case fortinac.mydomain.com).

 

You need to create a certificate for your FortiNAC persistent Agent with the appropriate CN or SAN.

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-How-to-generate-and-install-SSL-certificate...
05.11.2024_13.36.33_REC.png

 

BRs

 

 

 

rzanella
New Contributor III

Hello,

My IT colleagues provided me with certificates (file extension: p7b) which I successfully imported into Trusted Certificates.
I thought that was enough.

 

Do I therefore have to have 3 certificates generated? 1 for Persistent Agent, 1 for Admin UI and 1 for portal?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors