4
Overview
What it Does
Using a Valid SSL Certificate for captive portal security will not completely eliminate certificate
errors. If the host requests secure access using a URL such as https://www.google.com, the request
will be redirected to the captive portal for FortiNAC as https. This maintains the https security
level, but ultimately the certificate name will not match (the request will be for google.com and the
response will be from FortiNAC's address) so there is a trust mismatch and the host will translate
this to a possible hijacking attempt.
Alternately, if the host requests secure access using a URL, such as https://www.google.com, and if
FortiNAC did not maintain the security level of https and returned http instead, this would lead to
an encryption error because the request was https and the response was http. This general
conundrum is well-established among vendors who provide captive portals. See related links in the
Appendix.
The only way to avoid such errors would be to ensure the browser attempts access to FortiNAC
initially. Captive portal solutions address this issue: once the host is isolated, a browser window is
automatically opened with the captive portal page presented.
How it Works
Launching the Portal
When a computer connects to the network, requests are sent to certain sites (depending upon the
operating system). If the response is anything other than what is expected, it is assumed there is
no internet connection. The captive portal automatically launches (presenting the FortiNAC’s
portal) and the user is notified that they are in a Captive Network. Once the captive portal
launches, the user enters information to register.
There are different captive portal detection solutions depending upon the operating system:
Microsoft and Android - Captive Portal Detection (uses full browser)
iOS and macOS - Captive Network Assistant (CNA) (uses mini browser)
Note the following:
When enabled, this feature is enabled for all portals. It cannot be enabled on a per portal
basis.
This feature should not be used when using Endpoint Compliance Policies for MAC
computers. Since macOS launches a mini browser, users cannot download items, such as
the agent, from within the Captive Network Assistant.
Domains used to determine whether or not to launch the browser will differ (see Edit the
Allowed Domains List). In addition, the end user experience can vary between vendor and
operating systems.
This feature only runs a limited scope of Javascript, and HTML requests will not open a
new browser window. Clicking a link while using this feature will result in the current
browser window being replaced by the new browser window.