Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nflnetwork29
New Contributor III

Created on ‎04-22-2025 05:04 PM Edited on ‎04-22-2025 05:05 PM

FortiNAC Captive Portal – HSTS/HTTPS Certificate Errors & CNA Not Triggering

We’re running FortiNAC 7.6.x (NAC-OS) with a trusted 3RD PARTY SSL certificate assigned to our captive portal. BYOD devices are redirected to the registration portal via VLAN isolation and FortiNAC policies.

However, we are encountering the following issues:

HSTS-enabled HTTPS sites (e.g., chatgpt.com, google.com) throw unskippable certificate errors (ERR_CERT_COMMON_NAME_INVALID) when intercepted before registration.

Windows 11 endpoints are not reliably triggering the Captive Network Assistant (CNA).

 

What we’ve confirmed:
A valid certificate is in place and bound to the portal (port2).

msftconnecttest.com is not in the Allowed Domains list.

DNS and HTTP access to FortiNAC from the Registration VLAN are working.

What we need:
Clear guidance or official best practices to ensure:

Windows CNA detection reliably triggers upon network join

HTTPS/HSTS certificate errors are avoided entirely

Any specific FortiNAC settings required to optimize detection behavior

Looking for any insight into possible misconfiguration, missing detection rules, or additional steps needed to make CNA-based onboarding seamless and secure.

Labels:
546
0 Kudos
3 REPLIES 3
ebilcari
Staff
Staff

Created on ‎04-23-2025 03:04 AM

The choice to accept the redirection mostly resides on the host/browser behavior and any hardening technique that may have been applied in the host. Usually the browser should detect the presence of a captive portal and inform the user before proceeding with normal browsing. Default settings in FNAC Portal > Request Processing Rules should work with most of the end host types.

 

Firefox example in Win11:

 

firefox-portal.PNG

 

If the user types just the domain, the redirection should happen only using HTTP. If the link comes from a saved bookmark or browser history (https), the browser still should be able to detect that there is a portal and notify the user.

 

Chrome example in Win11:

new tab.PNG

 After pressing the 'Connect' button a new tab with FNAC portal is open.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
512
nflnetwork29
New Contributor III

Created on ‎04-23-2025 09:05 AM

thanks for the reply - we do not see that behavior in Firefox or in chrome. Is there a specific Request Processing Rules in FNAC that can improve compatibility?

490
0 Kudos
ebilcari
Staff
Staff
In response to nflnetwork29

Created on ‎04-24-2025 04:36 AM

The default values should work well for most host types. If hardening techniques are applied on the end hosts, I don't believe changes on the FNAC side can improve the behavior. The common CNA changes are related to iPhone/iOS and some Android versions.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
461
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.