Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Sx11
Staff
Staff

Created on ‎10-11-2023 02:34 AM

Article Id 278428

Troubleshooting Tip: Login failed in Captive Portal with Social login through Google Authentication

Description

 

This article describes how to debug and identify missing configurations when Customers have configured Google Authentication accounts to onboard new devices via the FortiNAC Captive Portal using Google credentials.  

 

Scope

 

FortiNAC.

 

Solution

 

This configuration allows users to onboard their devices through the FortiNAC portal by leveraging their Google Credentials.

 

  1. The users will initially be presented with the FortiNAC Captive portal and prompted to log in. In the FortiNAC host view, it will be shown as a Rogue Host and isolated.
  2. After selecting Standart user login a prompt to 'Sign in with Google' appears.
  3. The user will then be redirected to provide their Google Credentials.

Important: The FortiNAC Portal should be secured with a Valid SSL certificate in order for Google Services to accept the Request. The certificate used to secure the portal should have as its subject the FortiNAC FQDN which should be also specified in Portal -> Portal SSL.

 

If this is not the case the users will be presented with an error 400 or other Incorrect Request Error Codes:

 

Google_400_Error.jpg.png

 

  1. After successful authentication, the user will see a message: 'Logged in as: <Username>' and be prompted to select 'Agree' in order to accept the acceptable usage policy.

     

    In some cases, it is possible to have an error message from the browser after selecting 'Agree': 'Login Failed: Authentication Failure'.

     

    Brower_login_failed.png

    In most cases, this is related to a missing domain in the Google Service Connector Domain list and in Allowed Domains in FortiNAC.

    To identify what is causing the issue it is necessary to tail the output.master file as follows in FNAC-F CLI:

     

    diagnose tail -F output.master

     

    It will display the following debug output in CLI after the issue is recreated:

     

    yams INFO :: 2023-10-10 14:14:11:658 :: #541 :: DeviceManager:authenticationSocialSMA - start :
    yams INFO :: 2023-10-10 14:14:11:658 :: #541 :: provider : google
    yams INFO :: 2023-10-10 14:14:11:658 :: #541 :: accessToken : XXXXXXXXXXXXX
    yams INFO :: 2023-10-10 14:14:11:658 :: #541 :: regMethod : GOOGLE
    yams INFO :: 2023-10-10 14:14:11:658 :: #541 :: scope : registration
    yams INFO :: 2023-10-10 14:14:11:658 :: #541 :: ip : 192.168.10.1
    yams INFO :: 2023-10-10 14:14:11:972 :: #541 :: authenticateSocialSMA: the domain for this user (fortiUser) is not in the allowed list : fortilab.local
    yams INFO :: 2023-10-10 14:14:11:977 :: #541 ::
    Registration FAILED Authentication Failure fortiUser

     

    In order to resolve this, it is necessary to add the domain 'fortilab.local' to the following sections:

     

    • Network -> Service Connectors -> Google Auth -> 'Allowed Domains'.
    • System -> Settings -> Allowed Domains.

     

  2. Finally, the user is authenticated and registered by being associated with the host.

     

Access can then be controlled by Network Access policies.

 

Implementation:

Google authentication

Google Authentication for the Captive Portal

395
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.