Technical Note: Troubleshooting Automatic Captive Portal Detection

When a computer connects to the network, requests are sent to certain sites (depending upon the operating system). If the response is anything other than what is expected, it is assumed there is no internet connection. The captive portal automatically launches (presenting the captive portal) and the user is notified that they are in a Captive Network. Once the captive portal launches, the user enters information to register.



1. Refer to the Enable Captive Network Assistant reference manual in the Fortinet Document Library for a list of domains each operating system uses.

2. Navigate to System > Settings > Control > Allowed Domains and verify these domains are not present in the list.  

3. If any domains are found, delete the domain then save settings.   

4. Reboot phone to flush DNS cache and reconnect.


If problems persist, refer to applicable section below.

iOS and macOS:

1. Verify the isolated host is sending requests to hotspot-detect.html or library/test/success.html.  In the Server/Application Server CLI type
grep <isolation IP address of host> /bsc/logs/apache/access_log | egrep -i "hotspot-detect.html|library/test/success.html"

2. Confirm that a 302 is sent in response.  The test device should receive an automatic popup of the CNA.

     

Windows:
1. Verify the isolated host is sending requests to ncsi.txt.  In the Server/Application Server CLI type
grep <ip address of host> /bsc/logs/apache/access_log | grep -i "ncsi.txt"

2. Confirm that a 302 is sent in response.  The test device should receive an automatic popup of the CNA.

     

Android:
1. Verify the isolated host is sending HTTP requests to either generate_204 or gen_204.   In the Server/Application Server CLI type
grep <isolation IP address of host> /bsc/logs/apache/access_log | egrep -i "generate_204|gen_204"

2. Confirm that a 302 is sent in response to one of the requests.  The test device should receive an automatic popup of the CNA.

Test that the device receives a notification about isolation from the system, and not an app like Facebook Messenger, as some apps implement their own check.



Captive Portal appears automatically but blank white screen is displayed
This can occur when the server to which the phone was redirected is considered unreachable.   

Solution: Modify the Web Service Definition for  Android and update the target to reflect the Portal FQDN defined under System Settings > Security > Portal SSL.

Further Troubleshooting

If behavior persists, take a packet capture from FortiNAC (viewable via Wireshark).

1. Start packet capture on eth1 filtering on DNS.  In the Server/Application Server CLI type

tcpdump -s 0 -w AndroidCNA.cap -i eth1 '(port 53)'

3. Reconnect phone

4. Once phone is connected and no pop up occurs, Ctrl-C to stop capture

5. Download from appliance using WinSCP or a similar application.  Specify SCP protocol.

6. Attach capture to support ticket and provide the test phone's IP address