Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rcpdkc
Contributor II

Created on ‎03-07-2024 07:43 AM

Fortinac-F Portal Certificate Problem

I created a guest network in Fortigate firewall, security mode is on. Dynamic vlan enabled. Fortinac radius is connected behind it. I then included this wireless network in fortinac. When the user connects to the network, it assigns them to the quarantine vlan. Then the fortinac portal opens and the user registers. However, I have a problem like this. When the user connects to this network, the nac portal does not open. There is an untrusted network warning. To overcome this problem, I created a certificate in the active directory. And I included it in fortinac. However, when the user connects to the wireless network, the option to trust this certificate should normally appear, but it does not. The user cannot go to the portal because there is no certificate. How can I solve this problem?
Can I direct a user who is included in the open network directly to the portal without a certificate?
Or can I disable certificate verification from the SSL section in fortinac?

 

Labels:
1423
0 Kudos
29 REPLIES 29
AEK
SuperUser
SuperUser
In response to rcpdkc

Created on ‎03-11-2024 08:46 AM

Yes, is to leave it self signed certificate. You will get browser warning but if it is not for production then it's ok.

AEK
AEK
465
ndumaj
Staff
Staff

Created on ‎03-11-2024 08:51 AM

I agree with AEK response.
The users will get just a URL warning, but anyway depends on from the vendor Device they might not accept at all to allow the device to access that URL.

BR

- Happy to help, hit like and accept the solution -
463
0 Kudos
rcpdkc
Contributor II

Created on ‎03-11-2024 11:19 PM

I created a self-signed certificate, but again nothing changed. There is no reaction when the user connects to the wireless network. The portal does not open.cer2.PNG

441
0 Kudos
AEK
SuperUser
SuperUser
In response to rcpdkc

Created on ‎03-12-2024 01:58 AM

I think this is not related to certificate.

  • Can you ping FNAC's eth1 IP from the isolated client?
  • What do you get when you browse https://<FNAC eth1 IP>   (using IP)
  • Can you try telnet <FNAC eth1 IP>:443
AEK
AEK
429
ebilcari
Staff
Staff
In response to AEK

Created on ‎03-12-2024 02:33 AM

As AEK is suggesting it may not be the problem with the certificate. There are some network configurations that need to be done in order for the portal redirection to happen. FNAC has to be the DHCP and the DNS server (eth1/isolation interface, not eth0) for the end host while it's isolated and is waiting for the portal to show. The redirection is done through what is called a DNS cheat. You can take a look at this simplified network example (red path) to have a better understanding.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
409
rcpdkc
Contributor II
In response to AEK

Created on ‎03-12-2024 04:03 AM

Actually, there is no problem with windows devices. Windows devices open the browser. Problem on IOS and Android devices.

398
0 Kudos
ndumaj
Staff
Staff
In response to rcpdkc

Created on ‎03-12-2024 04:09 AM Edited on ‎03-12-2024 04:09 AM

Then do the following:
go to System > Settings > Control > Allowed Domains

 

Remove any domains related to icloud or apple or android such as below:

 

icloud.com

apple.com

akamaiedge.net

akamaitechnologies.com

appleiphonecell.com

www.airport.us

edgekey.net

aaplimg.com

akadns.net


Android
Remove:
clients3.google.com
clients4.google.com
connectivitycheck.google.com
connectivitycheck.gstatic.com

4. Verify again the steps for CNA related to device pages 7-9

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/8b7c4f99-1e56-11ed-9eba-fa163e...

 

Make sure everything is set as per our guide.

 

5. Once this is verified do the following:

 

Portal SSL - > Request Processing Rules

On the top right there is a 'Publish' button.

Select publish in order for the configuration to be applied.

 

Publish will automatically sort and write the configured rules to Apache and restart the portal web server. After that Captive portal should automatically show for Iphone/android users depending on the configuration.

- Happy to help, hit like and accept the solution -
396
ndumaj
Staff
Staff

Created on ‎03-12-2024 02:02 AM

Hello,
Also Check with Users on production are able to reach Https://FNAC-FQDN
What is the IP that guest users are getting? Is that from registration VLAN (Isolation pool scope?)?
Do NSLOOKUP FNAC-FQDN
what do you resolve?
BR

- Happy to help, hit like and accept the solution -
427
0 Kudos
rcpdkc
Contributor II

Created on ‎03-12-2024 03:57 AM

Although I obtained a certificate from a global certificate validator, the same problems persist.portal.PNG

401
0 Kudos
ndumaj
Staff
Staff

Created on ‎03-21-2024 05:33 AM

Hello,
Check with Users on production are able to reach Https://FNAC-FQDN
What is the IP that guest users are getting?
Is that from registration VLAN (Isolation pool scope?)?
Do NSLOOKUP FNAC-FQDN from end user
what do you resolve?
Run a pcap on FNAC to see if you do receive traffic from the guest IP:
exec enter-shell
sudo tcpdump -nnvvi any host <Ip of the host>

Can you also provide a view of ipconfig /all

BR

- Happy to help, hit like and accept the solution -
308
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.