Fortinet black logo

Administration Guide

Portal SSL

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:333502
Download PDF

Portal SSL

SSL Security allows you to enable and disable SSL Security, and enter the fully qualified host name.

Using a valid SSL certificate for captive portal security will not completely eliminate certificate errors, as you might wish. For example, if the host requests secure access using a URL such as https://www.google.com, the request will be redirected to the captive portal for FortiNAC as https. This maintains the https security level, but ultimately the certificate name will not match (the request will be for google.com and the response will be from FortiNAC's address) so there is a trust mismatch and the host will translate this to a possible hijacking attempt.

Alternately, if the host requests secure access using a URL, such as https://www.google.com, and if FortiNAC did not maintain the security level of HTTPS and returned HTTP instead, this would lead to an encryption error because the request was HTTPS and the response was http.

Settings

Field

Definition

SSL Mode

Determines how the web traffic is directed when it reaches the captive portal. The available settings are:

  • Valid SSL Certificate: Directs web traffic from port 80 to port 443 and presents a CA-signed SSL certificate to the user.
  • Self-Signed SSL Certificate: Directs traffic from port 80 to port 443 and presents a self-signed SSL certificate to the user.
  • Disabled: Directs all traffic to port 80.

Enable Shibboleth Integration with mod_shib

Enables the use of the Shibboleth Apache module if it has been configured on the FortiNAC Server or Application Server.

This field does not display if Shibboleth is not configured on the server.

The file HTTPAuthSMAAuthenticate.jsp does not need to exist on a system that is configured correctly to interact with Shibboleth. The FortiNAC tom-cat portal is configured to map requests with URIs that include "/common/HTTPAuthSMAAuthenticate.jsp" to /common/SMAAuthenticate.jsp.

fully qualified Host Name

The fully qualified name of this appliance. If you have a FortiNAC Control Server and a FortiNAC Application Server pair, enter the fully qualified name of the FortiNAC Application Server.

Configure SSL security

There are two types of certificates used for the captive portal:

  • Valid SSL Certificate: Issued by a CA
  • Self-Signed SSL Certificate: generated by the FortiNAC.

These options control the security level of the portal used for registration, remediation, authentication, dead end, and quarantine contexts.

The web server listens on port 80 and port 443 for web traffic coming into the portal. The SSL Mode setting determines how the web traffic is directed when it reaches the captive portal. The available settings are:

  • Valid SSL Certificate: Directs web traffic from port 80 to port 443 and presents a CA signed valid SSL certificate to the user. The certificate should be in PEM format.
  • Self-Signed SSL Certificate: Directs traffic from port 80 to port 443 and presents a self-signed SSL certificate to the user.
  • Disabled: Directs all traffic to port 80.

If you choose to use the valid SSL certificate option you must obtain a certificate from a signing authority, such as, VeriSign. Until you have received your certificate, you can either use a self-signed SSL certificate or set the SSL option to Disabled. When you have received the certificate, you must upload it to the web server.

Disable SSL mode

SSL Mode can be disabled if necessary. All web traffic coming to the captive portal will be directed to port 80.

  1. Click System > Settings.
  2. Expand the Security folder.
  3. Select Portal SSL from the tree.
  4. Select Disabled from the drop-down menu in the SSL Mode field.
  5. Click Save Settings.
Apply a self-signed certificate

Self-signed certificates can be used to secure the captive portal and to secure communication between some Agents and the FortiNAC server until you purchase a Valid Third Party SSL certificate.

Note

All Mobile Agents and all Agents that are Version 3.x or higher require the use of a Valid Third Party certificate. A self-signed certificate cannot be used if any of these agents have been deployed.

Note

Do not click Generate CSR to create a self-signed certificate if you have already generated a request for a Valid Third Party SSL certificate from a CA. That process created a self-signed certificate on the FortiNAC server. Clicking Generate CSR again creates a new private key that will not match the certificate returned from the CA.

Use the existing self-signed SSL certificate

If you have generated the private key and the certificate request to obtain a certificate from a CA, a self-signed SSL certificate was generated at the same time. Use the self-signed certificate until the valid SSL certificate is returned from the CA.

  1. Click System > Settings.
  2. Expand the Security folder.
  3. Select Portal SSL from the tree.
  4. In the SSL panel select Self-Signed SSL Certificate from the drop-down menu in the SSL Mode field.
  5. Click Save Settings.
Generate a new self-signed SSL certificate

If you have never requested a certificate from a Certificate from a CA and you would like to use a self-signed certificate to secure the portal, follow the instructions below:

  1. Click System > Settings.
  2. Expand the Security folder.
  3. Select Portal SSL from the tree.
  4. In the SSL panel enter the fully qualified Host Name.

  5. Click Generate CSR .

  6. Enter the information for the Certificate in the dialog box. The Common Name must exactly match the name entered on the General tab.

  7. Click OK.

    The Success dialog appears with the private key and the certificate request.

  8. Click Close on the Success dialog.
  9. Click Save Settings.
Apply a third-party SSL certificate

To secure the admin UI with a trusted SSL certificate, see SSL certificates.

SSL certificates for servers in an L3 HA environment

In an L3 HA environment redundant servers are on separate subnets, they do not share an IP address nor do they share a host name. If you need to secure the captive portal or agent server communications in such an environment, there are two options.

Wild card certificates can be used in a high availability environment and the appropriate files will be replicated from the Primary to the Secondary server. Using a wild card certificate only the domain name is used and that portion of the fully qualified host name is the same for all servers, such as *.example.com.

However, in a high availability configuration where primary and secondary servers are on separate subnets (L3 HA) and you do not wish to use a wild card certificate, you must request and import a separate certificate with the fully qualified host name of each FortiNAC Server or FortiNAC Application server.

Portal SSL

SSL Security allows you to enable and disable SSL Security, and enter the fully qualified host name.

Using a valid SSL certificate for captive portal security will not completely eliminate certificate errors, as you might wish. For example, if the host requests secure access using a URL such as https://www.google.com, the request will be redirected to the captive portal for FortiNAC as https. This maintains the https security level, but ultimately the certificate name will not match (the request will be for google.com and the response will be from FortiNAC's address) so there is a trust mismatch and the host will translate this to a possible hijacking attempt.

Alternately, if the host requests secure access using a URL, such as https://www.google.com, and if FortiNAC did not maintain the security level of HTTPS and returned HTTP instead, this would lead to an encryption error because the request was HTTPS and the response was http.

Settings

Field

Definition

SSL Mode

Determines how the web traffic is directed when it reaches the captive portal. The available settings are:

  • Valid SSL Certificate: Directs web traffic from port 80 to port 443 and presents a CA-signed SSL certificate to the user.
  • Self-Signed SSL Certificate: Directs traffic from port 80 to port 443 and presents a self-signed SSL certificate to the user.
  • Disabled: Directs all traffic to port 80.

Enable Shibboleth Integration with mod_shib

Enables the use of the Shibboleth Apache module if it has been configured on the FortiNAC Server or Application Server.

This field does not display if Shibboleth is not configured on the server.

The file HTTPAuthSMAAuthenticate.jsp does not need to exist on a system that is configured correctly to interact with Shibboleth. The FortiNAC tom-cat portal is configured to map requests with URIs that include "/common/HTTPAuthSMAAuthenticate.jsp" to /common/SMAAuthenticate.jsp.

fully qualified Host Name

The fully qualified name of this appliance. If you have a FortiNAC Control Server and a FortiNAC Application Server pair, enter the fully qualified name of the FortiNAC Application Server.

Configure SSL security

There are two types of certificates used for the captive portal:

  • Valid SSL Certificate: Issued by a CA
  • Self-Signed SSL Certificate: generated by the FortiNAC.

These options control the security level of the portal used for registration, remediation, authentication, dead end, and quarantine contexts.

The web server listens on port 80 and port 443 for web traffic coming into the portal. The SSL Mode setting determines how the web traffic is directed when it reaches the captive portal. The available settings are:

  • Valid SSL Certificate: Directs web traffic from port 80 to port 443 and presents a CA signed valid SSL certificate to the user. The certificate should be in PEM format.
  • Self-Signed SSL Certificate: Directs traffic from port 80 to port 443 and presents a self-signed SSL certificate to the user.
  • Disabled: Directs all traffic to port 80.

If you choose to use the valid SSL certificate option you must obtain a certificate from a signing authority, such as, VeriSign. Until you have received your certificate, you can either use a self-signed SSL certificate or set the SSL option to Disabled. When you have received the certificate, you must upload it to the web server.

Disable SSL mode

SSL Mode can be disabled if necessary. All web traffic coming to the captive portal will be directed to port 80.

  1. Click System > Settings.
  2. Expand the Security folder.
  3. Select Portal SSL from the tree.
  4. Select Disabled from the drop-down menu in the SSL Mode field.
  5. Click Save Settings.
Apply a self-signed certificate

Self-signed certificates can be used to secure the captive portal and to secure communication between some Agents and the FortiNAC server until you purchase a Valid Third Party SSL certificate.

Note

All Mobile Agents and all Agents that are Version 3.x or higher require the use of a Valid Third Party certificate. A self-signed certificate cannot be used if any of these agents have been deployed.

Note

Do not click Generate CSR to create a self-signed certificate if you have already generated a request for a Valid Third Party SSL certificate from a CA. That process created a self-signed certificate on the FortiNAC server. Clicking Generate CSR again creates a new private key that will not match the certificate returned from the CA.

Use the existing self-signed SSL certificate

If you have generated the private key and the certificate request to obtain a certificate from a CA, a self-signed SSL certificate was generated at the same time. Use the self-signed certificate until the valid SSL certificate is returned from the CA.

  1. Click System > Settings.
  2. Expand the Security folder.
  3. Select Portal SSL from the tree.
  4. In the SSL panel select Self-Signed SSL Certificate from the drop-down menu in the SSL Mode field.
  5. Click Save Settings.
Generate a new self-signed SSL certificate

If you have never requested a certificate from a Certificate from a CA and you would like to use a self-signed certificate to secure the portal, follow the instructions below:

  1. Click System > Settings.
  2. Expand the Security folder.
  3. Select Portal SSL from the tree.
  4. In the SSL panel enter the fully qualified Host Name.

  5. Click Generate CSR .

  6. Enter the information for the Certificate in the dialog box. The Common Name must exactly match the name entered on the General tab.

  7. Click OK.

    The Success dialog appears with the private key and the certificate request.

  8. Click Close on the Success dialog.
  9. Click Save Settings.
Apply a third-party SSL certificate

To secure the admin UI with a trusted SSL certificate, see SSL certificates.

SSL certificates for servers in an L3 HA environment

In an L3 HA environment redundant servers are on separate subnets, they do not share an IP address nor do they share a host name. If you need to secure the captive portal or agent server communications in such an environment, there are two options.

Wild card certificates can be used in a high availability environment and the appropriate files will be replicated from the Primary to the Secondary server. Using a wild card certificate only the domain name is used and that portion of the fully qualified host name is the same for all servers, such as *.example.com.

However, in a high availability configuration where primary and secondary servers are on separate subnets (L3 HA) and you do not wish to use a wild card certificate, you must request and import a separate certificate with the fully qualified host name of each FortiNAC Server or FortiNAC Application server.