Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rzanella
New Contributor III

Created on ‎11-05-2024 01:16 AM Edited on ‎11-05-2024 01:17 AM

Certificate error message when device is redirect to Captive portal

I managed to manually install on a PC to test the Persistent Agent. Now I can register the PC but I still have a problem: when I open the browser I get the message that I have to register. Before reaching the registration page I am informed that the connection is not secure. (NET::ERR_CERT_AUTHORITY_INVALID).

Once I accept the risk I can register. For authentication I use the domain user.
I also find log messages in the Persistent Agent logs:

2024-10-28 09:59:17 UTC :: peer CommonName = bradfordnetworks.com
2024-10-28 09:59:17 UTC :: Checking Peer name fortinac.mydomain.com against Common or Subject-alternative-name entry bradfordnetworks.com
2024-10-28 09:59:17 UTC :: Peer name "fortinac.mydomain.com" doesn't match "bradfordnetworks.com"
2024-10-28 09:59:17 UTC :: Refusing to connect to trust_DISTRUSTED fortinac.it-present.com|bradfordnetworks.com|09:6e:cf:15:bd:ea:b9:1e:26:21:75:d5:86:9a:8e:37:15:f5:d4:a9
2024-10-28 09:59:17 UTC :: Connection failed! 1


I installed the certificates as trusted.

I searched the documentation but was unable to resolve the issue.

 

Thanks in advance.

Labels:
303
0 Kudos
1 Solution
scitlak
Staff
Staff
In response to rzanella

Created on ‎11-05-2024 06:28 AM

Hi,

 

You may use the same certificate for all of them or you may generate different certificates for each of them. 

Especially for the portal, if you would like to guest registration, it would be better to have a publicly signed certificate. As I mentioned, you may use the same certificate for all of them.

 

BRs

 

 

 

View solution in original post

228
4 REPLIES 4
scitlak
Staff
Staff

Created on ‎11-05-2024 04:37 AM

Hello,

 

You probably use the default TLS certificate for your Persistent Agent in FortiNAC.

 

According to logs, PA tries to establish an SSL/TLS handshake with your FortiNAC but it fails since the FQDN is not in the CN or SAN of your Certificate.

 

Your FortiNAC FQDN should be in the Certificate`s SAN or CN. (in your case fortinac.mydomain.com).

 

You need to create a certificate for your FortiNAC persistent Agent with the appropriate CN or SAN.

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-How-to-generate-and-install-SSL-certificate...
05.11.2024_13.36.33_REC.png

 

BRs

 

 

 

259
0 Kudos
rzanella
New Contributor III
In response to scitlak

Created on ‎11-05-2024 05:16 AM Edited on ‎11-05-2024 05:44 AM

Hello,

My IT colleagues provided me with certificates (file extension: p7b) which I successfully imported into Trusted Certificates.
I thought that was enough.

 

Do I therefore have to have 3 certificates generated? 1 for Persistent Agent, 1 for Admin UI and 1 for portal?

242
0 Kudos
scitlak
Staff
Staff
In response to rzanella

Created on ‎11-05-2024 06:28 AM

Hi,

 

You may use the same certificate for all of them or you may generate different certificates for each of them. 

Especially for the portal, if you would like to guest registration, it would be better to have a publicly signed certificate. As I mentioned, you may use the same certificate for all of them.

 

BRs

 

 

 

229
rzanella
New Contributor III
In response to scitlak

Created on ‎11-05-2024 07:10 AM

Thanks,

I wil start to create a certificate for Persistent Agent. 

222
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.