Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
mp2
Staff
Staff

Created on ‎05-20-2019 07:28 AM Edited on ‎12-06-2023 03:13 AM By Moderator

Article Id 191375

Troubleshooting Tip: Redirecting to a captive portal gets a certificate warning while the client device tries to access an HTTPS/HSTS website initially

Description

 

This article describes the cause of the certificate warning when the client device initially attempts to access an HTTPS website before being redirected to the captive portal page.

Scope

 

KB Article Type – Design.
Related Products - FortiGate, FortiAuthenticator, FortiWLC, FortiAP.
Related Software Versions - All S/W versions.
Keywords – Captive portal, certificate warnings, HTTPS, HSTS.


Solution

 

Captive portal authentication involves redirecting a connection attempt to a webpage to the captive portal provider. This is essentially a hijacking of the client's original request, and thus similar to a man-in-the-middle attack in execution, and may trigger similar warnings.


For the HTTPS sites, because of the common name mismatch between the site requested by the client and the certificate provided by the gateway/captive portal provider during the redirection, a security warning may appear as follows:

 

JeanPhilippe_P_0-1701861050520.png

 

 


If this error message (or similar ones) appears, simply proceed by selecting Advanced and then 'Proceed' to load the captive portal page.

Increasingly, more browsers and webpages support HTTP Strict Transport Security (HSTS). This defines exactly what certificates are expected for a web page, and as redirect to the captive portal involves a different one, the browser will refuse to connect, and the resulting error message is impossible to override.

If this is the case, an error message as shown below may appear:

 

JeanPhilippe_P_1-1701861104640.png

 

If this message appears, the captive portal cannot be triggered. The only option is to try and attempt to visit a different, non-HSTS web page to trigger a redirect again, and then authenticate to the captive portal provider.

 

The easiest workaround to prevent certificate warnings/HSTS websites is to attempt to connect to a captive portal testing page.

 

Many browsers and Operating Systems have inbuilt captive portal detection; by trying to visit an HTTP test page and detecting the redirect, the devices/browsers determine a captive portal is present, and may present the login page, or a warning that further credentials are needed, by themselves.

 

If the captive portal is not detected automatically, manually accessing the test pages should trigger the captive portal without any certificate errors.

 

Some of the most common test pages:

http://detectportal.firefox.com/canonical.html

http://msftncsi.com/ncsi.txt

http://captive.apple.com/hotspot-detect.html

http://www.apple.com/library/test/success.html

http://connectivitycheck.gstatic.com/generate_204

http://clients3.google.com/generate_204

http://nmcheck.gnome.org/check_network_status.txt

 

After authentication, all webpages (including HSTS webpages) should be accessible in line with configured security profiles.

5560
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.