Fortigate wifi external portal authentication with FortiAuthenticator
My Fortigate environment for wifi guest user is a external authentication portal by FortiAuthentication; i replace the Fortinet certicate SSL with my own CA ( Sectigo ) to avoid warning certificate from browser. The workflow begin with the external page of FortiAth " https://fac.xxzxzxzxx.YY/portal"; authentication is processed by Fortiauth but the browser goes redirect at internal page in this url "10.12.0.1:1000/fortiauth.... " without also the HTTPS form... This is the IP internal interface of Fortigate for the specific SSID. The browser warning that it's insecure because it's not in HTTPS and show the warning to trasmit the credential in a non secure channel... How do I avoid this warning and continue the protected session?
here is a copy and paste from the 6.4 captive portal flow ( GUI > Authentication > Portals > Policies > Upper right there is the blue question mark) - that should explain how the redirect works:
The typical captive portal workflow for an end-user with a FortiGate/FortiWiFi goes as follows:
End-user browser attempts to go through the FortiGate/FortiWiFi to access a website.
(Optional step) FortiGate/FortiWiFi sends a MAC Authentication Bypass (MAB) RADIUS authentication request using the end-user's MAC address to the FortiAuthenticator.
(Optional step) FortiAuthenticator processes the MAB request. It return an Access-Accept response and authorized group name RADIUS attributes if the MAC address is authorized, or an Access-Accept response without the authorized group name RADIUS attribute otherwise.
(Optional step) Upon an Access-Accept response and correct group membership, the end-user browser bypasses the captive portal and is allowed through to the requested website. Workflow stops here.
FortiAuthenticator successfully authenticates the end-user.
FortiAuthenticator redirects the end-user browser to the FortiGate/FortiWiFi's captive portal API specified in the "post" parameter of the original captive portal redirect, e.g. http://192.168.30.1:1000/fgtauth in the above sample. The API call also contains the "magic" parameter (also from the original redirect), in addition to a username and password.
FortiGate/FortiWiFi uses the "magic" parameter to associate the API request to the firewall session that triggered the original redirect and triggers a RADIUS authentication request to the FortiAuthenticator using the username and password from the API request.
FortiAuthenticator verifies the credentials from the RADIUS authentication request. If valid, it returns a RADIUS Access-Accept response containing the appropriate RADIUS attributes.
FortiGate/FortiWiFi redirects the end-user browser to a website. The specific website depends on the FortiGate/FortiWiFi configuration.
What exactly is your redirect link on the FortiGate? You could crosscheck if the link has a / appended to it. It should be similar to "https://[FAC IP/FQDN]/portal/". If that / is missing the iOS may fail as we've seen the iPhone might not handle the HTTP response code 301 from the FortiAuthenticator webserver later.
that DNS entry contains the IP, the full domain name, and the shortened hostname (vpn) without DNS suffix (forti.lab) - this could also be an alias for example, or a different domain that also resolves to the same IP.
-> DNS entries in the host file contain one IP and one or more names.
In this case, it would allow the client to reach the IP at 'vpn.forti.lab' or just 'vpn'.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Sorry to thread necro, but I wanted to know if this is the standard way of having a captive portal for external guests that does not prompt them to submit information? Asking because this workflow is somewhat broken in the latest release, and I wish to understand if a bug is currently preventing me from configuring a best practice implementation.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.