Captive portal issue - fails to open auth page

SC_Alex · ‎05-10-2024

Hello,

I read carefully topics here, but could not find working solution.

I have a FG-40F test unit, made a vlan on it (99) with pool 192.168.200.0/24 FG has 192.168.200.1 address
On this vlan I set up captive portal like this:

If I set as excempt DNS service here, it disappears on next interface opening

On this stage I use internal users, created on FG unit.
DNS is set = Same as interface IP, so I assume it is 192.168.200.1
I also added a policy for DNS to go outside for unauthorized users (src=vlan, dst = wan):

Also I made a letsencrypt certificate for this domain and made a static dns entry:

The problem is that on different types of devices it operates different way, but works only on iPhone - when I can by opening some websites trigger appearance of login window in browser to authenticate. On Mac it is also sometimes working through browser.

But on Android I usually see:
1) Message:
ERR_NAME_NOT_RESOLVED

2) In case if I disable https authentication I even see on Android auth popup but with no content:

The web page at http://192.168.200.1:1000/fgtauth?02070a9b050b7540 could not be loaded because:

net::ERR_HTTP_RESPONSE_CODE_FAILURE

The questions are:
1) How to see login page by connecting to wifi on Apple | Android | Windows without any actions, like it works usually? And without opening browsers. As an AP there is Unifi configured with wlan on 99 vlan - so device gets dhcp params from FG well
2) How to fix Letsencrypt certificate so portal could work on https without certificate notices?

AEK · ‎05-11-2024

Hi Alex

For your first question I think this post can help.

https://community.fortinet.com/t5/Support-Forum/Active-portal/td-p/303069

AEK

balibajar3 · ‎05-11-2024

Side note, but Apple tech support is awesome. The person I spoke with was knowledgeable and did a great job helping me troubleshoot. It's really nice being able to just chat with them through iMessage at a moment's notice, I almost can't believe they do it for free considering how in-depth and responsive they were.

router login 192.168.l.l

SC_Alex · ‎05-13-2024

For now I got:
1. Portal can have LE certificate:
config firewall auth-portal
set portal-addr "fqdn"
end
config user setting
set auth-secure-http enable
set auth-cert "LE"
end
2. Also logic of checking connectivity by portal works a bit other way, so there should be opened some addresses as exempt-dst: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Stop-the-captive-portal-triggering-i...
3. Message:
ERR_NAME_NOT_RESOLVED on ANDROID apears due to DoH. I could disable it only partially, popup window still produces this message. Also better is to disable safe browsing in Chrome :)
So, now I see empty popup on Apple devices and DNS Error on Android - in case of popup authentication windows
4. Authentication works in browser (Safari / Chrome) - but to get a screen with login data you have to input to the address 255.255.255.0 - and this magic works :)
5. When auth form opens, it looks like a popup just with login and password, but no design like it has to be normally. Do not understand why

Will check a couple of things later
But this anyway looks very strange as soon as also is impossible to use DNS redirection, like even made on many much cheaper Mikrotik devices