Description
This article describes that using a Valid SSL Certificate for captive portal security will not completely eliminate certificate errors.
If the host requests secure access using a URL such as https://www.google.com, the request will be redirected to the captive portal for FortiNAC as https. This maintains the https security level, but ultimately the certificate name will not match (the request will be for google.com and the response will be from FortiNAC's address) so there is a trust mismatch and the host will translate this to a possible hijacking attempt.
Alternately, if the host requests secure access using a URL, such as https://www.google.com, and if FortiNAC did not maintain the security level of https and returned http instead, this would lead to an encryption error because the request was https and the response was http.
This general conundrum is well-established among vendors who provide captive portals, as these links indicate:
Solution
The only way to avoid such errors would be to ensure the browser attempts access to FortiNAC initially.
Captive portal solutions address this issue: once the host is isolated, a browser window is automatically opened with the captive portal page presented.
Related article:
Technical Note: Captive Portal does not automatically display when in isolation
