Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rcpdkc
Contributor II

Fortinac-F Portal Certificate Problem

I created a guest network in Fortigate firewall, security mode is on. Dynamic vlan enabled. Fortinac radius is connected behind it. I then included this wireless network in fortinac. When the user connects to the network, it assigns them to the quarantine vlan. Then the fortinac portal opens and the user registers. However, I have a problem like this. When the user connects to this network, the nac portal does not open. There is an untrusted network warning. To overcome this problem, I created a certificate in the active directory. And I included it in fortinac. However, when the user connects to the wireless network, the option to trust this certificate should normally appear, but it does not. The user cannot go to the portal because there is no certificate. How can I solve this problem?
Can I direct a user who is included in the open network directly to the portal without a certificate?
Or can I disable certificate verification from the SSL section in fortinac?

 

29 REPLIES 29
rcpdkc
Contributor II

My domain name won't go online. Can I still do this? Domain name rcpdkc.local

AEK

If I have one advice is avoid .local suffix for domain. Always use standard suffix. If I'm not wrong I remember some dns related issue happened on one FortiNAC because of this suffix, or it was .lab suffix, sorry I don't remember well. Any way the issue was resolved 

Try use .com, .net, .org, or any other standard.

Remember that FortiNAC is very capricious and it likes strict configuration.

AEK
AEK
rcpdkc
Contributor II

In the wpa2 corporate network, when a person wants to connect wirelessly, a certificate trust warning appears on the screen. However, this vulnerability does not exist in wireless security mode. Actually, if there is a trust warning or a way to automatically install a certificate when connected to the network, my problem will be solved.

AEK

Here I guess you are talking about RADIUS certificate. Then the question is does is make sense to use public certificate for corporate RADIUS? Personally I don't think so. But at least does it work? Probably not.

AEK
AEK
rcpdkc
Contributor II

There is an active directory certificate in the corporate radius.

rcpdkc
Contributor II

@AEK Actually, I don't know what my problem is. What I want is that the nac portal page opens automatically when the user connects to the wireless network. However, when the user connects to the wireless network, nothing happens. It just waits.

AEK

@rcpdkc,

  • Does you guest client obtain an IP address in the right isolation range?
  • Can it ping the isolation interface of your FNAC?
  • Can it access the isolation portal manually (enter isolation FQDN in your browser)
AEK
AEK
ndumaj
Staff
Staff

Hello,

Please find below the guide for SSL configuration:
https://docs.fortinet.com/document/fortinac-f/7.2.0/installing-ssl-certificates/223817/overview

https://docs.fortinet.com/document/fortinac-f/7.2.0/installing-ssl-certificates/228234/step-1-determ...
For portal Target is recommended public cert:

  • Third party public (External)

    • Certificates issued from Certificate Authorities like GoDaddy, DigiCert, GlobalSign, etc.

    • Certificate types: Individual, SAN* & Wildcard

 

BR

 

- Happy to help, hit like and accept the solution -
rcpdkc
Contributor II

I bought a certificate from Zerossl. Although I entered the csr code I got from the portal, there is this warning.Ekran Alıntısı.PNG

rcpdkc
Contributor II

Is there any way to do it without an SSL certificate?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors