Hi Team!
I am experiencing issues with the fortigate WPA2 personal+captive portal deployment. I have used the portal type disclaimer+auth and I have found two main problem:
- First, when the users successfully login, they are redirected to the port 1000 of the firewall and not the original request as configured. For example , lets think that the user has accessed to google.com, after login in the captive portal they are not redirected to google.es, they are redirected to the firewall IP and port 1000. Any idea of the source of this issue?
- Second, When the users fails their credentials, thay are no longer able to relogin, they need to discconect themselves from the SSID and connect again to be able to relogin.
Thanks for help!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 12-21-2021 10:56 PM
Welcome to the Fortinet community and Thank you for your post. Hopefully, you've been keeping safe and doing well!
We see you are facing the issue with WIFI Captive Portal.
You should receive an update from one of the team members soon on. Thanks for your patience on this.
Hey Unai_SecFnet,
generally: how is the captive portal triggered, how is it set up?
Is this done on the interface level or per firewall policy?
You can check for 1)
it sounds like the user is supposed to login once again, so the login might not have been captured.
To see what has been known to the firewall you can use the firewall user monitor or from the CLI diag firewall auth list.
2) - I'd do exactly the same and check whether the user is known. The firewall session will be denied - but a session = srcIP:srcport<>dstIP:dstport (and user if any). If that same session is re-used, the user will be denied by the same FW policy. Choose to connect to another site, and you should be asked to authenticate again.
Best regards,
Markus
Hi Markus,
Thanks for support, I will check over both and I will update the thread. The captive portal is configured in the interface level, it is a WiFi WPA2+disclaimer+captive portal solution.
Hi Marcus,
After authenticating, the user is below the firewall auth user list. It seems that the error is just with the http redirection. This issue starts when you ignore the auto-prompted captive portal and you start to navigate.
At this step, the fortigate intercept the traffic and shows the captive portal. If you login successfully, you are redirected to the fw IP and the port 1000, set as auth-port in the fortigate global configuration. Does anybody suffered this in 6.0.13 version?
Thanks!
Hi Unai_SecFnet,
I've having a similar issue running v6.2.10. We have a guest WiFi network using WPA2 Personal with Captive Portal. Our settings are "Disclaimer Only" for Portal Type and "Original Request" for the Redirect After. After a guest connects to the SSID, the default browser automatically opens with a redirect "detector" (Edge, Firefox and Chrome). Then it redirects to the FGT on port 1003. Firefox mentioned issues with certificates and with HSTS.
Haven't found a solution yet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.