Fortigate captive portal User Authentication SSL issue

filiaks1 · ‎05-22-2025

Hello,

I am playing with fortigate trial versions (7.2.11 and 7.6.2) and I was testing local user authentication with captive portal.

I have configured the ip address of the interface as captive portal location.

It works for HTTP traffic but for HTTPS traffic the browsers generate "ERR_SSL_VERSION_OR_CIPHER_MISMATCH".

Maybe this something that does not work the trial versions do not support 2 GB RAM FortiGate models no longer support FortiOS proxy-related features | FortiGate / FortiOS 7.6... but it is not clearly stated.

AEK · ‎05-22-2025

Hello

This is most probably because FGT VM trial supports only low encryption.

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/441460

AEK

View solution in original post

AEK · ‎05-22-2025

Hello

This is most probably because FGT VM trial supports only low encryption.

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/441460

AEK

filiaks1 · ‎05-22-2025

With the below commands I saw an error in the authd process.

diagnose debug application authd -1

diagnose debug enable
diagnose debug console timestamp enable

2025-05-22 16:52:47 [crypto_free:216]: [crypto_free:216]: (crypto/bio/bss_sock.c:111)
2025-05-22 16:52:47 [crypto_free:216]: [crypto_free:216]: (crypto/ex_data.c:412)
2025-05-22 16:52:47 [crypto_free:216]: [crypto_free:216]: (crypto/bio/bio_lib.c:147)
2025-05-22 16:52:47 [crypto_free:216]: [crypto_free:216]: (ssl/ssl_lib.c:1493)
2025-05-22 16:52:47 [crypto_free:216]: [crypto_free:216]: (crypto/threads_pthread.c:808)
2025-05-22 16:52:47 [crypto_free:216]: [crypto_free:216]: (ssl/ssl_lib.c:1399)
2025-05-22 16:52:47 authd_epoll_work: timeout 11690
2025-05-22 16:52:58 [authd_http_accept_session:1122]: src 192.168.211.1 flag 00010800
2025-05-22 16:52:58 [authd_http_change_state:2855]: src 192.168.211.1 flag 00010800
2025-05-22 16:52:58 authd_http: change state from 0 to 1
2025-05-22 16:52:58 [authd_http_accepting:1201]: src 192.168.211.1 flag 00010800
2025-05-22 16:52:58 [crypto_malloc:208]: [crypto_malloc:208]: 5408 (ssl/ssl_lib.c:733)
2025-05-22 16:52:58 [crypto_malloc:208]: [crypto_malloc:208]: 56 (crypto/threads_pthread.c:713)
2025-05-22 16:52:58 [crypto_malloc:208]: [crypto_malloc:208]: 32 (crypto/stack/stack.c:51)
2025-05-22 16:52:58 [crypto_malloc:208]: [crypto_malloc:208]: 32 (crypto/stack/stack.c:71)
2025-05-22 16:52:58 [crypto_malloc:208]: [crypto_malloc:208]: 184 (ssl/ssl_cert.c:95)
2025-05-22 16:52:58 [crypto_malloc:208]: [crypto_malloc:208]: 360 (ssl/ssl_cert.c:105)
2025-05-22 16:52:58 [crypto_malloc:208]: [crypto_malloc:208]: 112 (crypto/x509/x509_vpm.c:86)
2025-05-22 16:52:58 [crypto_free:216]: [crypto_free:216]: (ssl/s3_lib.c:3536)
2025-05-22 16:52:58 [crypto_free:216]: [crypto_free:216]: (ssl/s3_lib.c:3538)
2025-05-22 16:52:58 [crypto_free:216]: [crypto_free:216]: (ssl/s3_lib.c:3540)
2025-05-22 16:52:58 [crypto_free:216]: [crypto_free:216]: (ssl/s3_lib.c:3541)
2025-05-22 16:52:58 [crypto_free:216]: [crypto_free:216]: (ssl/s3_lib.c:3542)
2025-05-22 16:52:58 [crypto_free:216]: [crypto_free:216]: (ssl/s3_lib.c:3549)

Yurisk · ‎05-22-2025

As @AEK correctly said - because you are using free evaluation VM license, it (VM FGT) will only support high (read - acceptable by today's browsers) encryption for the Admin HTTPS management interface, nothing else. So, you browser, when presented with the low encryption cipher suite will just refuse to enter the page. Nothing you can do about that except buying a normal license or spinning licensed FGT on some public cloud. But you are using it for testing so it is probably OK as is.

https://yurisk.info

filiaks1 · ‎05-22-2025

Thanks @Yurisk and @AEK for the fast replies. I think this can be documented in the knowedge base as what limitations the trial license has.

Fortigate captive portal User Authentication SSL issue

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website