Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DineshKum
New Contributor

Created on ‎05-03-2024 09:54 PM

Permission denied.

We configured social media login from FortiAuthenticator (v5.5.0) to FortiGate (v7.2). However, the result is showing "permission denied." Below is the attached error for reference.denied_msg.png

Labels:
410
0 Kudos
9 REPLIES 9
dbu
Staff
Staff

Created on ‎05-04-2024 02:33 AM

Hi @DineshKum ,
It looks like your config is not done properly. There is no match for the defined portal rules. 
Which social login are you trying to configure ? Did you follow any guide ?

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
367
0 Kudos
DineshKum
New Contributor
In response to dbu

Created on ‎05-04-2024 03:03 AM

Hi @dbu 
We have been following the FortiAuthenticator cookbook located at https://docs.fortinet.com/document/fortiauthenticator/5.5.0/cookbook/975072/social-wifi-captive-port....

However, after following the instructions in the cookbook, we encountered the following error message:

"Permission denied. Accessing the guest portal without a login session."

Could you please review and provide guidance on resolving this issue?

 




Regards,
DINESHKUMAR A

363
0 Kudos
DineshKum
New Contributor
In response to DineshKum

Created on ‎05-04-2024 03:06 AM

I have attached the error message below.permission_denied.png

362
0 Kudos
dbu
Staff
Staff
In response to DineshKum

Created on ‎05-04-2024 03:19 AM Edited on ‎05-04-2024 03:19 AM

How is the Access Point configured on the  FortiAuthenticator as FQDN or IP ?  

How have you configured this setting under the Fortigate ? 
config firewall auth-portal
set portal-addr "portal.test.com"  <<< your portal FQDN/IP you can try with both 
end

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
360
0 Kudos
DineshKum
New Contributor
In response to dbu

Created on ‎05-04-2024 03:41 AM

Hi @dbu,

We're not using AP; instead, we're connected directly to the FGT port. The authentication portal has also been configured. Please find the attached configuration snapshot.

Regards,
DINESHKUMAR ACli_auth.pngFGT_Captive_portal.png

357
0 Kudos
dbu
Staff
Staff
In response to DineshKum

Created on ‎05-04-2024 03:48 AM

I believe the URL should be : https://192.168.5.70/portal  on the Fortigate.
You can verify it with the link under the Portal policies on the FortiAuthenticator 

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
355
0 Kudos
dbu
Staff
Staff
In response to dbu

Created on ‎05-04-2024 03:52 AM

Please note you need to match with the Access Point configured on the FortiAuthenticator as below : 
apportal.PNG

 

If you have specified FQDN on the Access Point than you need also to specify FQDN on the FortiGate

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
353
0 Kudos
DineshKum
New Contributor
In response to dbu

Created on ‎05-04-2024 04:10 AM

We are using version 5.5.0, and this option is not available in this version. In this version, only the guest option is mentioned. Here is the attached snapshot.guest_snap.png

 

 

341
0 Kudos
dbu
Staff
Staff
In response to DineshKum

Created on ‎05-04-2024 06:39 AM Edited on ‎05-04-2024 06:39 AM

I see, then it will be /guests. 
You might find some help with this article

Check the portal policy configuration and how you have configured the access point .

 

Key Configuration Points.

  • On the FortiGate, when external authentication Captive Portal is configured, the user authentication is performed on the external authentication device (e.g. FortiAuthenticator) not on the FortiGate.
  • When the 'External Authentication portal' is configured with FortiAuthenticator, FortiGate is required to be a RADIUS client of the FortiAuthenticator and a remote user group pointing towards the FortiAuthenticator (as RADIUS server) is required to be configured on the FortiGate.
  • On the FortiGate, the FortiAuthenticator and DNS servers (in the case where FQDN is configured on the 'External Authentication portal') are required to be exempted from the 'Captive Portal'.
  • On the FortiAuthenticator for 'Captive Portal' authentication 'Portal', 'Access Point' and 'Policy' are required to be configured. 'Access Point' is the IP address of the port on FortiGate where the 'Captive Portal' is enabled.
Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
324
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.