Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- FortiAuthenticator Guest Captive Portal Cannot be ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator Guest Captive Portal Cannot be reached from Client
Had this working briefly, but somehow , something has changed in the environment, I have followed:
A few tweaks here and there, but essentially, the Client connects to the OPEN ssid, the interface uses system DNS to look up the address of the external portal., then should be able to access the captive portal, this part is completely broken, no traffic arrives at the FAC, meaning the client just cant resolve the FQDN (it used too!) I checked the clients ipconfig, and it gets the right DHCP IP, gateway (Fortigate wifi interface) and correct DNS (it picks up public DNS, but there are DNS-DATABASE entries for the FAC)
there is an EXEMPT captive portal rule, from the GUEST source network, to the FAC on HTTPS, so that it can use the form to register, before browsing. there are no hits on this rule. I have tried everything now, I just dont know what is missing, I tried using interface DNS, system DNS on the WIFI interface, the SSID is correct , open with external captive portal.. the FAC is working as the other WIFI is working as well as SSL VPN users.. any suggestions would be great.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiAuthenticator
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I literally didn't see this in the first posts, but your auth-type is wrong for this use case.
I reproduced your problem in my lab with auth-type = https only. Default includes http and telnet+ftp. You may include http at least here, which leads to triggering the captive portal with HTTP plaintext.
config user setting
set auth-type http https
end
I can add http and my traffic gets redirected, I can remove http and my captive portal detection stops and times out on the detection page.
The setting itself means which protocols will be blocked and redirected by the FortiGate.
Good luck!
Best regards,
Markus
- Markus
51 REPLIES 51
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Yes, client sees SSID, connects to it, gets the correct IP, gateway and interface DNS. no portal triggered, if you browse to a web page to trigger it, it just says "connection is not private in the browser" if you try a http connection, it just times out, WIFI says connected. they can ping the FAC interface via FQDN..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in reply to your previos comment about DNS. It always has to work and client must be able to resolve stuff. Either through an exemption policy or if the FortiGate is the DNS server.
Regarding this comment here I hijack:
connection isn't private will be expected as FortiGate must block the attempt and it tries to do so by mitm'ing the connection and presenting its own certificate.
The HTTP connection however has to work. If you say "times out" - does it time out when trying to reach that page or by connecting to FortiGate or to FortiAuthenticator? The address bar will be important to see then as it signifies what the browser claims to time out on.
- Markus
Created on 07-14-2025 05:15 AM Edited on 07-14-2025 05:15 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in FAC documentation described in the tutorial, at step 3 :Configuring a captive portal policy on FortiAuthenticator , do you have the exact same SSID configured that the users connect to and it's defined on the FGT ?
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
its a sub string in the policy substring_match ="GUEST" but I dont think its getting that far, the Fortigate needs to interrupt the traffic, but it clearly isn't :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I removed the GUEST GROUP from the Web Policy and I can see apple devices using DNS.. they are not authenticated, so don't know how they are using it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
config firewall auth-portal
set portal-addr "guest.auth.mypublicdomain.com"
end
is required to be the FortiGate, although not intuitive. It affects only redirect #1, that is the articles step 3). And yes, I place a lot of value on that article :)
When you test (and the group is removed from the policy), get a packet capture from the client that contains DNS AND port 443+1003.
diag sniffer packet any 'host <client IP>' 6 0 a
will usually do.
- Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, thats on the Fortigate, always has been. Did some further testing , have removed the Group from the policy. client connects, gets an IP, and can ping the FQDN of the FAC, so this proves the interface DNS is working. Still no portal, installed Firefox when to the portal address http://detectportal.firefox.com and it times out. if the client browses to the portal address, they get the 403 Forbidden error. I am now completely confused as to what is wrong :( I did a diag sniffer packet,on the client address, it shows the ping to the FAC and the failed HTTPS to the portal address, nothing else
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem will then be why the HTTP page times out. FortiGate has to block it and answer it. The rest should work. Why would your packet capture however not show http://detectportal ... that is port 80 and unless you filtered it out, should be visible, all the same.
The "timeout" message on browser means that the client tried reaching it but didn't receive a response from anywhere. If not in your capture, where does the client send its requests?
It would fit the logic if the client tries to reach the page via another interface. If it doesn't try to reach the page via FortiGate, FortiGate cannot redirect anything. In my beloved article, step2 would be going wrong. So check from the PCAP what the page detectportal.firefox.com resolves to, with the DNS response. From that client, ping that resolved address. Do you see the ping on the FortiGate?
- Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a web filter on with cert inspection, but thats for after the authenticate, so shouldn't be affected, and its always been there, you are right, the portal is just not being triggered and it makes zero sense, literally 2 weeks ago this was all working and something has killed it! and I cant find it. there is only the one connection from the client to the fortigate, no other ones, I cant test again now untill Monday :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The web filter will indeed only take place at a policy hit. You can take out all UTM, just in case.
Basically DNS should resolve some address that the client will try to reach via HTTP. That part seems to not even work, so FortiGate cannot redirect (traffic that it doesn't see). You want to test that ping as mentioned and routing table for oddities, like a default route that specifies only the internal network for example.
Likewise, another client is also worth testing. If traffic doesn't reach FortiGate for some odd reason, it is quite unlikely two clients would show the same behavior. If that were true though, you would like to check the DHCP settings on FortiGate as DHCP can push static routes (in "Additional DHCP Options").
- Markus
Labels
-
FortiGate
10,612 -
FortiClient
2,163 -
FortiManager
890 -
5.2
687 -
FortiAnalyzer
681 -
5.4
638 -
FortiSwitch
585 -
FortiClient EMS
564 -
FortiAP
560 -
IPsec
420 -
6.0
416 -
SSL-VPN
379 -
FortiMail
372 -
5.6
362 -
FortiNAC
285 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
195 -
FortiAuthenticator
174 -
FortiGuard
160 -
5.0
152 -
Firewall policy
145 -
FortiGate-VM
133 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiToken
113 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
86 -
FortiProxy
77 -
ZTNA
76 -
Routing
75 -
Fortivoice
73 -
SAML
71 -
DNS
71 -
VLAN
71 -
FortiEDR
69 -
BGP
69 -
FortiADC
68 -
Authentication
67 -
Certificate
66 -
RADIUS
61 -
LDAP
60 -
fortilink
56 -
SSO
54 -
NAT
54 -
FortiSandbox
53 -
FortiExtender
52 -
4.0MR3
49 -
vdom
47 -
Interface
45 -
Application control
45 -
FortiDNS
43 -
Logging
41 -
Virtual IP
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
FortiConnect
35 -
SSL SSH inspection
35 -
Web profile
35 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
API
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web rating
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
NAC policy
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2599 | |
| 1382 | |
| 803 | |
| 663 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.