Description
This article describes how to be redirected to a captive portal/authentication page which gets a certificate warning while the client device tries to access an HTTPS website initially.
Scope
FortiAP.
Solution
As the captive portal/authentication page redirection involves hijacking the client's original TCP and HTTPS/HTTP request, it is similar to a man-in-the-middle attack even though it is for good intentions.
When the captive portal authentication is enforced, the user gets the certificate of the FortiGate because of this browser is gives us the certificate warning because of CN name or SAN name mismatch. For the HTTP sites, because of the common name mismatch between the site requested by the client and the certificate provided by the controller during the redirection of the captive portal, a security warning may appear as follows:
If this error message appears, proceed with the advanced option and get the page.
Few sites and browser support HTTP Strict Transport Security (HSTS), which allow the website only if all the certificate parameters are matching.
If this is the case, an error message appears that is impossible to override, as shown below:
Troubleshoot:
- Browse to a different HTTP site and re-attempt user authentication. Once credentials have been accepted by the WLC/FortiGate, access to the blocked site will be possible.
- Configure any HTTP page as a home page in Browsers.
So that whenever the user opens the browser, it will automatically try to access the HTTP site and redirect to the Captive portal/Authentication page.
Related article:
