Fortinac-F Portal Certificate Problem

rcpdkc · ‎03-07-2024

I created a guest network in Fortigate firewall, security mode is on. Dynamic vlan enabled. Fortinac radius is connected behind it. I then included this wireless network in fortinac. When the user connects to the network, it assigns them to the quarantine vlan. Then the fortinac portal opens and the user registers. However, I have a problem like this. When the user connects to this network, the nac portal does not open. There is an untrusted network warning. To overcome this problem, I created a certificate in the active directory. And I included it in fortinac. However, when the user connects to the wireless network, the option to trust this certificate should normally appear, but it does not. The user cannot go to the portal because there is no certificate. How can I solve this problem?
Can I direct a user who is included in the open network directly to the portal without a certificate?
Or can I disable certificate verification from the SSL section in fortinac?

rcpdkc · ‎03-08-2024

My domain name won't go online. Can I still do this? Domain name rcpdkc.local

AEK · ‎03-08-2024

If I have one advice is avoid .local suffix for domain. Always use standard suffix. If I'm not wrong I remember some dns related issue happened on one FortiNAC because of this suffix, or it was .lab suffix, sorry I don't remember well. Any way the issue was resolved

Try use .com, .net, .org, or any other standard.

Remember that FortiNAC is very capricious and it likes strict configuration.

AEK

rcpdkc · ‎03-09-2024

In the wpa2 corporate network, when a person wants to connect wirelessly, a certificate trust warning appears on the screen. However, this vulnerability does not exist in wireless security mode. Actually, if there is a trust warning or a way to automatically install a certificate when connected to the network, my problem will be solved.

AEK · ‎03-10-2024

Here I guess you are talking about RADIUS certificate. Then the question is does is make sense to use public certificate for corporate RADIUS? Personally I don't think so. But at least does it work? Probably not.

AEK

rcpdkc · ‎03-11-2024

There is an active directory certificate in the corporate radius.

rcpdkc · ‎03-11-2024

@AEK Actually, I don't know what my problem is. What I want is that the nac portal page opens automatically when the user connects to the wireless network. However, when the user connects to the wireless network, nothing happens. It just waits.

AEK · ‎03-11-2024

@rcpdkc,

Does you guest client obtain an IP address in the right isolation range?
Can it ping the isolation interface of your FNAC?
Can it access the isolation portal manually (enter isolation FQDN in your browser)

AEK

ndumaj · ‎03-11-2024

Hello,

Please find below the guide for SSL configuration:
https://docs.fortinet.com/document/fortinac-f/7.2.0/installing-ssl-certificates/223817/overview

https://docs.fortinet.com/document/fortinac-f/7.2.0/installing-ssl-certificates/228234/step-1-determ...
For portal Target is recommended public cert:

Third party public (External)
- Certificates issued from Certificate Authorities like GoDaddy, DigiCert, GlobalSign, etc.
- Certificate types: Individual, SAN* & Wildcard

BR

- Happy to help, hit like and accept the solution -

rcpdkc · ‎03-11-2024

I bought a certificate from Zerossl. Although I entered the csr code I got from the portal, there is this warning.

rcpdkc · ‎03-11-2024

Is there any way to do it without an SSL certificate?