Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rzanella
New Contributor III

Certificate error message when device is redirect to Captive portal

I managed to manually install on a PC to test the Persistent Agent. Now I can register the PC but I still have a problem: when I open the browser I get the message that I have to register. Before reaching the registration page I am informed that the connection is not secure. (NET::ERR_CERT_AUTHORITY_INVALID).

Once I accept the risk I can register. For authentication I use the domain user.
I also find log messages in the Persistent Agent logs:

2024-10-28 09:59:17 UTC :: peer CommonName = bradfordnetworks.com
2024-10-28 09:59:17 UTC :: Checking Peer name fortinac.mydomain.com against Common or Subject-alternative-name entry bradfordnetworks.com
2024-10-28 09:59:17 UTC :: Peer name "fortinac.mydomain.com" doesn't match "bradfordnetworks.com"
2024-10-28 09:59:17 UTC :: Refusing to connect to trust_DISTRUSTED fortinac.it-present.com|bradfordnetworks.com|09:6e:cf:15:bd:ea:b9:1e:26:21:75:d5:86:9a:8e:37:15:f5:d4:a9
2024-10-28 09:59:17 UTC :: Connection failed! 1


I installed the certificates as trusted.

I searched the documentation but was unable to resolve the issue.

 

Thanks in advance.

1 Solution
scitlak

Hi,

 

You may use the same certificate for all of them or you may generate different certificates for each of them. 

Especially for the portal, if you would like to guest registration, it would be better to have a publicly signed certificate. As I mentioned, you may use the same certificate for all of them.

 

BRs

 

 

 

View solution in original post

4 REPLIES 4
scitlak
Staff
Staff

Hello,

 

You probably use the default TLS certificate for your Persistent Agent in FortiNAC.

 

According to logs, PA tries to establish an SSL/TLS handshake with your FortiNAC but it fails since the FQDN is not in the CN or SAN of your Certificate.

 

Your FortiNAC FQDN should be in the Certificate`s SAN or CN. (in your case fortinac.mydomain.com).

 

You need to create a certificate for your FortiNAC persistent Agent with the appropriate CN or SAN.

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-How-to-generate-and-install-SSL-certificate...
05.11.2024_13.36.33_REC.png

 

BRs

 

 

 

rzanella
New Contributor III

Hello,

My IT colleagues provided me with certificates (file extension: p7b) which I successfully imported into Trusted Certificates.
I thought that was enough.

 

Do I therefore have to have 3 certificates generated? 1 for Persistent Agent, 1 for Admin UI and 1 for portal?

scitlak

Hi,

 

You may use the same certificate for all of them or you may generate different certificates for each of them. 

Especially for the portal, if you would like to guest registration, it would be better to have a publicly signed certificate. As I mentioned, you may use the same certificate for all of them.

 

BRs

 

 

 

rzanella
New Contributor III

Thanks,

I wil start to create a certificate for Persistent Agent. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors