I created a guest network in Fortigate firewall, security mode is on. Dynamic vlan enabled. Fortinac radius is connected behind it. I then included this wireless network in fortinac. When the user connects to the network, it assigns them to the quarantine vlan. Then the fortinac portal opens and the user registers. However, I have a problem like this. When the user connects to this network, the nac portal does not open. There is an untrusted network warning. To overcome this problem, I created a certificate in the active directory. And I included it in fortinac. However, when the user connects to the wireless network, the option to trust this certificate should normally appear, but it does not. The user cannot go to the portal because there is no certificate. How can I solve this problem?
Can I direct a user who is included in the open network directly to the portal without a certificate?
Or can I disable certificate verification from the SSL section in fortinac?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes, is to leave it self signed certificate. You will get browser warning but if it is not for production then it's ok.
I agree with AEK response.
The users will get just a URL warning, but anyway depends on from the vendor Device they might not accept at all to allow the device to access that URL.
BR
I created a self-signed certificate, but again nothing changed. There is no reaction when the user connects to the wireless network. The portal does not open.
I think this is not related to certificate.
As AEK is suggesting it may not be the problem with the certificate. There are some network configurations that need to be done in order for the portal redirection to happen. FNAC has to be the DHCP and the DNS server (eth1/isolation interface, not eth0) for the end host while it's isolated and is waiting for the portal to show. The redirection is done through what is called a DNS cheat. You can take a look at this simplified network example (red path) to have a better understanding.
Actually, there is no problem with windows devices. Windows devices open the browser. Problem on IOS and Android devices.
Then do the following:
go to System > Settings > Control > Allowed Domains
Remove any domains related to icloud or apple or android such as below:
icloud.com
apple.com
akamaiedge.net
akamaitechnologies.com
appleiphonecell.com
edgekey.net
aaplimg.com
akadns.net
Android
Remove:
clients3.google.com
clients4.google.com
connectivitycheck.google.com
connectivitycheck.gstatic.com
4. Verify again the steps for CNA related to device pages 7-9
Make sure everything is set as per our guide.
5. Once this is verified do the following:
Portal SSL - > Request Processing Rules
On the top right there is a 'Publish' button.
Select publish in order for the configuration to be applied.
Publish will automatically sort and write the configured rules to Apache and restart the portal web server. After that Captive portal should automatically show for Iphone/android users depending on the configuration.
Hello,
Also Check with Users on production are able to reach Https://FNAC-FQDN
What is the IP that guest users are getting? Is that from registration VLAN (Isolation pool scope?)?
Do NSLOOKUP FNAC-FQDN
what do you resolve?
BR
Although I obtained a certificate from a global certificate validator, the same problems persist.
Hello,
Check with Users on production are able to reach Https://FNAC-FQDN
What is the IP that guest users are getting?
Is that from registration VLAN (Isolation pool scope?)?
Do NSLOOKUP FNAC-FQDN from end user
what do you resolve?
Run a pcap on FNAC to see if you do receive traffic from the guest IP:
exec enter-shell
sudo tcpdump -nnvvi any host <Ip of the host>
Can you also provide a view of ipconfig /all
BR
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.