Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
naltakeb
New Contributor

Created on ‎03-11-2022 12:28 AM Edited on ‎03-11-2022 12:42 AM

Captive Portal issue for Users Over Site to Site IPSec VPN

 

branch user --> 80F FW ==> IPSEC VPN ==> 1100E FW ==> Captive Portal ==> Internet

 

Common issue with the example scenario:

A common issue when configuring Captive Portal for this sample scenario is that Captive Portal does not work perfectly for vpn users behind 80F FW that come over the site-to-site IPSec vpn to the 1100E FW in order to access the internet. Common symptoms are:

  • Site-to-site vpn is up and working
  • Captive Portal works perfectly for local users behind 1100E FW
  • Captive Portal works for local users behind 80F FW but some image on Web Captive Portal do not appear perfectly 
Labels:
1906
0 Kudos
2 REPLIES 2
sharmaj
Staff
Staff

Created on ‎03-11-2022 02:27 AM

Hello,

 

Regarding this:

  • Captive Portal works for local users behind 80F FW but some images on Web Captive Portal do not appear perfectly 

Is it only about image not being appearing perfectly or the user does not get to authenticate as well?

 

If it is about imperfection in the image, please try to inspect by right-clicking on the browser and check under the network tab, reload the page and check if you see any error per se.

Jay sharma
1839
0 Kudos
xsilver_FTNT
Staff
Staff

Created on ‎04-07-2022 12:36 AM

Personally I'm not a big fanboy of a Captive Portals, unless they are there for some reason like Disclaimer page, or email collector on FGT. Especially as they usually affect all the traffic passing through interface and handling exceptions is a bit painful. So I prefer per-policy identity and authentication handling. Which allows me to use stuff like FSSO, auth session inheritance for eg. from VPN so user do not need to authenticate multiple times, etc.

Another thing is that Captive portals are usually on ingress side (as below) not on egress.
Users - PC - Captive portal - interface - FGT...

 

Not sure I'd clearly connect missing images to captive portal. How about to have some more solid proof via debug, at least something like 'flow debug'. Which could be even filtered to specific site or image source, in case the issue is at least somehow reproducible and not completely random and intermittent.

If you have some evidence, then I'd suggest to open TAC ticket on it.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

1754
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.