Created on 05-20-2019 07:28 AM Edited on 12-06-2023 03:13 AM By Jean-Philippe_P
Description
This article describes the cause of the certificate warning when the client device initially attempts to access an HTTPS website before being redirected to the captive portal page.
Scope
KB Article Type – Design.
Related Products - FortiGate, FortiAuthenticator, FortiWLC, FortiAP.
Related Software Versions - All S/W versions.
Keywords – Captive portal, certificate warnings, HTTPS, HSTS.
Solution
Captive portal authentication involves redirecting a connection attempt to a webpage to the captive portal provider. This is essentially a hijacking of the client's original request, and thus similar to a man-in-the-middle attack in execution, and may trigger similar warnings.
For the HTTPS sites, because of the common name mismatch between the site requested by the client and the certificate provided by the gateway/captive portal provider during the redirection, a security warning may appear as follows:
If this error message (or similar ones) appears, simply proceed by selecting Advanced and then 'Proceed' to load the captive portal page.
Increasingly, more browsers and webpages support HTTP Strict Transport Security (HSTS). This defines exactly what certificates are expected for a web page, and as redirect to the captive portal involves a different one, the browser will refuse to connect, and the resulting error message is impossible to override.
If this is the case, an error message as shown below may appear:
If this message appears, the captive portal cannot be triggered. The only option is to try and attempt to visit a different, non-HSTS web page to trigger a redirect again, and then authenticate to the captive portal provider.
The easiest workaround to prevent certificate warnings/HSTS websites is to attempt to connect to a captive portal testing page.
Many browsers and Operating Systems have inbuilt captive portal detection; by trying to visit an HTTP test page and detecting the redirect, the devices/browsers determine a captive portal is present, and may present the login page, or a warning that further credentials are needed, by themselves.
If the captive portal is not detected automatically, manually accessing the test pages should trigger the captive portal without any certificate errors.
Some of the most common test pages:
http://detectportal.firefox.com/canonical.html
http://captive.apple.com/hotspot-detect.html
http://www.apple.com/library/test/success.html
http://connectivitycheck.gstatic.com/generate_204
http://clients3.google.com/generate_204
http://nmcheck.gnome.org/check_network_status.txt
After authentication, all webpages (including HSTS webpages) should be accessible in line with configured security profiles.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.