Technical Tip: Using secure authentication (HTTPS) on a FortiGate and redirecting the authentication page
This article explains how to use Secure authentication page on FortiGate.
When enabling Authentication (and/or Disclaimer) on a Firewall Policy, the FortiGate offers the option to redirect an HTTP authentication page to a Secure Channel (HTTPS). In this scenario, the authentication page is redirected to a new HTTPS port and to the ingress FortiGate IP address.
1 --------> User traffic hits a Firewall Policy with authentication and HTTPS redirect. 2 <------- Redirect with HTTPS port and IP address of port1. 3 --------> Authentication. 4 --------> Access to initial page requested .
In some instances, the FortiGate could be behind another router using a VIP, hence not reachable directly, or the administrator could want an FQDN name to be sent in place of an IP address
The network could now be as follow:
[ USER DEVICE ] ---- Internet -----[ Router] ---- port1 [ FortiGate ] -- Resources (private IP)
In this case, the solution is to change the redirection information.
1) By giving a DNS entry (that the FortiGate and the user's device must be able to resolve).
#config firewall policy edit <my_policy_ID> set auth-redirect-addr "my.fortigate.com" next end
In this first case, the URL that the user's browser will see is : https://my.fortigate.com:1003/ Note: URL, such as the example "my.fortigate.com", is not an external server, but points back to the FortiGate. This should be configured in the DNS server, or locally.
2) By specifying an IP address directly.
#config firewall policy edit <my_policy_ID> set auth-redirect-addr "the_public_Virtual_IP" next end
Reminder: The HTTPS redirect function and port can be configured from the following CLI commands:
#config user setting set auth-secure-http enable (default = disable) end
config system global set auth-https-port 1442 (default = 1003) end
In the case it is required to configure a different presented certificate, the parameter is:
#config user setting set auth-cert <auth-cert> set auth-ca-cert <auth-ca-cert>
In this case, auth-cert must be signed by auth-ca-cert in order not to trigger the untrusted certificate error, and the auth-ca-cert must be added to the browser. Also, the CA certificate used in the user setting should be the same used in the ssl-inspection profile.
In case it is required to use the Captive Portal for Guest Users with HTTPS, make sure that a certificate signed by a Public CA is used. Also make sure that Captive Portal detection on Client works. Otherwise the authentication page will come with the auth-ca-cert (which will obviously not be trusted by the client because it’s the private CA). Further details about Captive Portal detection can be found on this external page: