Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Brady_Owen
New Contributor II

SSL Certificate Issue when using HTTPS redirect on Captive portal

Hi All, I have userbased identity policies using captive portals. I have port 3, port 4 and a VLAN using different portals. These all work fine until I switch it to HTTPS redirect in Authentication then the captive portal throws up a certificate warning. I have run; config vdom edit root config firewall policy edit 16 set auth-redirect-addr test.test.co.uk (not the real address) set auth cert mycert end There is a dns entry on the local DC to point test.test.co.uk to the interface of port 3 (example) Now.... when you turn on HTTPS redirect and try and login you get a warning and invalid cert because the FW goes to xxx.xxx.208.1:1003/FGTAUTH? (lot of numbers) Any ideas anyone.
1 Solution
Brady_Owen
New Contributor II

f the browser shows a hostname like Some.Authpage.com/FGTAUTH? then you match need to match the text.
Adrian, I have changed the captive portal address via CLI to use an address which matches the wildcard cert *.xxx Then on the local DNS put an entry in for this to point to the interface IP. This should then work. When you say what is the exact error, the error is a certificate error.

View solution in original post

8 REPLIES 8
Jeff_FTNT
Staff
Staff

You may import " Fortinet_CA" CA certificate ( Locate at FGT GUI:System->Certificates->CA certificates) to your browser as trust CA certificate, it will not have warning .
Brady_Owen
New Contributor II

This is a third party certificate, the Cert and Ca have been loaded already.
Brady_Owen
New Contributor II

Being a godaddy cert and CA I wouldn' t need to import the CA
Adrian_Buckley_FTNT

What EXACTLY is the error? I' m guessing it' s saying the cert is not valid for the location your visiting. A cert is considered valid for a location by the browser for a location that i) matches the CA ii) matches an entry in the ' alternative name' Since your browser is going to a.b.c.d/FGTAUTH? then the CA needs to match that IP address, or that IP needs to be included in the alternative name. If the browser shows a hostname like Some.Authpage.com/FGTAUTH? then you match need to match the text. Certificates support wildcards so you could do *.authpage.com, or something like that. I' ve never seen wildcards used with IPs.
Brady_Owen
New Contributor II

f the browser shows a hostname like Some.Authpage.com/FGTAUTH? then you match need to match the text.
Adrian, I have changed the captive portal address via CLI to use an address which matches the wildcard cert *.xxx Then on the local DNS put an entry in for this to point to the interface IP. This should then work. When you say what is the exact error, the error is a certificate error.
newNetwork
New Contributor

I am facing this issue, I have a COMODO CA public cert for authpage.mydomain.com and this dns points to Lan IP of fortigate. When i try to access https://google.com for the first time from an unauthenticated client, it redirects and throws a warning and i guess in google chrome it refuses to proceed.

 

One of the work around as i can understand is to use wildcard certificate for mydomain.com instead of authpage.mydomain.com. will this prevent the warning or it is not going to help?

 

any other workaround?

what if i want to force the user to a specific http site for the first time in the day , http sites go through the auth page without any warning. once the user is authenticated , he can go to any site.

 

 

NSGuru
New Contributor

Hi All,

 

I know this issue happened a while back. But I recently ran into the same thing and wanted to let you know how i resolved this.

 

1.You will first need to have a trusted SSL Certificate.

Gather this certificate and install it to the Fortigate.

System > Certificates > Upload Local and then CA Certificate.

 

2. added DNS entry to server that will point to the Fortigate and the SSL certificate install example disclaimer.mydomain.com

 

For a quick test to confirm the certificate is working properly you can change the admin-cert to the trusted cert you installed by going to. System > Administrators > Settings > Change Certificate to your specified Cert name.

Now on a pc local to the domain go to the dns entry you added. You should now be able to reach the firewall without getting an untrusted page.

 

The next steps you will be following are all inside the Fortigate.

 

3. Open up the CLI of the fortigate and run

 

config firewall policy

edit 9                     (this number represents the policy ID you will be using to redirect users to a disclaimer for authentication)

set auth-redirect-addr disclaimer.mydomain.com

set auth-cert (your specified cert name)

end

**** If you have multiple policies setup for disclaimer I would recommend running those commands for each Policy ID****

 

4.  Open up the GUI of the fortigate and browse to

User and Device > Authentication > Settings > Certificate (Your specified cert name)

 

You should now be complete. Test and you should see that your PC redirects to  the address you had chosen and has the trusted certificate as well.

 

Hope this helps.

boneyard
Valued Contributor

@NSGuru thanks for the explanation.

 

if you say Test at the end. how do you test? if you test with for example https://www.google.com do you then get it to work without certificate warnings?

NSGuru New Member  Total Posts : 1Scores: 0Reward points: 0Joined: 8/3/2016Status: offline[/ul] Re: SSL Certificate Issue when using HTTPS redirect on Captive portal Thursday, August 04, 2016 5:14 AM (permalink)     0 Hi All,   I know this issue happened a while back. But I recently ran into the same thing and wanted to let you know how i resolved this.   1.You will first need to have a trusted SSL Certificate. Gather this certificate and install it to the Fortigate. System > Certificates > Upload Local and then CA Certificate.   2. added DNS entry to server that will point to the Fortigate and the SSL certificate install example disclaimer.mydomain.com   For a quick test to confirm the certificate is working properly you can change the admin-cert to the trusted cert you installed by going to. System > Administrators > Settings > Change Certificate to your specified Cert name. Now on a pc local to the domain go to the dns entry you added. You should now be able to reach the firewall without getting an untrusted page.   The next steps you will be following are all inside the Fortigate.   3. Open up the CLI of the fortigate and run   config firewall policy edit 9                     (this number represents the policy ID you will be using to redirect users to a disclaimer for authentication) set auth-redirect-addr disclaimer.mydomain.com set auth-cert (your specified cert name) end **** If you have multiple policies setup for disclaimer I would recommend running those commands for each Policy ID****   4.  Open up the GUI of the fortigate and browse to User and Device > Authentication > Settings > Certificate (Your specified cert name)   You should now be complete. Test and you should see that your PC redirects to  the address you had chosen and has the trusted certificate as well.   Hope this helps.    Helpful Report AbuseForward  Quote   #8   boneyard Quick Reply: (Open Full Version)        Paragraph Font Family Font Size                  Path: p   Preview    Submit Post     Home » All Forums » [link=https://forum.fortinet.com/tt.aspx?forumid=119][Other FortiGate and FortiOS Topics][/link] » User and Authentication » SSL Certificate Issue when using HTTPS redirect on Captive portal Jump to:  Jump to - - - - - - - - - -  [FortiGate / FortiOS UTM features] - - - - AntiVirus - - - - Application Control - - - - Data Leak Prevention (DLP) - - - - Email filtering (AntiSPAM) - - - - Former Content Management Forum - - - - Intrusion Detection & Prevention - - - - Web Filtering [Fortinet Beta Programs] - - - - Beta Message Board [Fortinet Services] - - - - FortiCloud IOC [Other FortiGate and FortiOS Topics] - - - - Firewall  - - - - Log & Report - - - - Miscellaneous -- FortiOS and FortiGate - - - - New Features -- FortiOS - - - - Routing and Transparent Mode - - - - System settings - - - - User and Authentication - - - - VPN [Other Fortinet Products] - - - - AscenLink - - - - Coyote Point - - - - FortiADC - - - - FortiAnalyzer - - - - FortiAP - - - - FortiAuthenticator - - - - FortiBalancer - - - - FortiBridge - - - - FortiCache - - - - FortiCamera & FortiRecorder - - - - FortiCarrier  - - - - FortiCASB - - - - FortiClient - - - - FortiCloud - - - - FortiConnect - - - - FortiController - - - - FortiConverter - - - - FortiCore - - - - FortiDB - - - - FortiDDOS - - - - FortiDirector - - - - FortiDNS - - - - FortiExplorer - - - - FortiExtender - - - - FortiFone - - - - FortiGuard - - - - FortiHypervisor - - - - FortiMail - - - - FortiManager - - - - FortiMonitor - - - - FortiNAC - - - -  Fortinet Security Fabric - - - - FortiPlanner - - - - FortiPortal - - - - FortiPresence - - - - FortiProxy - - - - FortiRPS - - - - FortiSandbox - - - - FortiScan - - - - FortiSIEM - - - - FortiSwitch - - - - FortiTester - - - - FortiToken - - - - FortiTap - - - - FortiVoice - - - - FortiWAN - - - - FortiWeb - - - - FortiWiFi - - - - Wireless Infrastructure (FortiWLC, FortiWLM, Meru) [Forum Information & Miscellaneous Topics] - - - - Forum News - - - - Ideas for Forum Site - - - - Fortinet Cookbook - - - - Knowledge Base - - - - Technical -- non-FortiOS - - - - Miscellaneous -- non-technical      © 2018 APG vNext Commercial Version 5.5   Latest Posts    Re: 30E - Streaming by Bose SoundTouch stucks every 10-15 Minutes Fortimanager API /sys/login/user [link=https://forum.fortinet.com/FindPost/167880/]Re: Cannot sync VPN CA certificate from FMG to FGT [FIXED][/link] 30E - Streaming by Bose SoundTouch stucks every 10-15 Minutes Re: Fortigate SSL VPN disconnects between 2-5 minutes suddenly [link=https://forum.fortinet.com/FindPost/167877/]Re: Cannot sync VPN CA certificate from FMG to FGT [FIXED][/link] IPsec VPN Connection Failure Re: Only "Super_User" profile has access to reports? Re: Only "Super_User" profile has access to reports? Re: Only "Super_User" profile has access to reports? [/ul] Active Posts    [link=https://forum.fortinet.com/tm.aspx?m=143211]Cannot sync VPN CA certificate from FMG to FGT [FIXED][/link] Fortigate SSL VPN disconnects between 2-5 minutes suddenly Forticlient iPad - Browsing Files Port Forwarding on secondary Firewall 30E site-to-site VPN - slow, randomly erratic bandwidth Office 365 users can not share their document localy Captive Portal inline with FSSO error=-4006 during vpn connection Fortigate SSL inspection produces corrupt file downloads. Re: fortinet.camerabob.com/urlfilter.cgi [/ul] All FAQs    There is no record available at this moment[/ul] NSGuru
Top Kudoed Authors