Fortinet black logo

Overview

Copy Link
Copy Doc ID 8b7c4f99-1e56-11ed-9eba-fa163e15d75b:713355
Download PDF

Overview

What it Does

Using a Valid SSL Certificate for captive portal security will not completely eliminate certificate errors. If the host requests secure access using a URL such as https://www.google.com, the request will be redirected to the captive portal for FortiNAC as https. This maintains the https security level, but ultimately the certificate name will not match (the request will be for google.com and the response will be from FortiNAC's address) so there is a trust mismatch and the host will translate this to a possible hijacking attempt.

Alternately, if the host requests secure access using a URL, such as https://www.google.com, and if FortiNAC did not maintain the security level of https and returned http instead, this would lead to an encryption error because the request was https and the response was http. This general conundrum is well-established among vendors who provide captive portals. See related links in the Appendix.

The only way to avoid such errors would be to ensure the browser attempts access to FortiNAC initially. Captive portal solutions address this issue: once the host is isolated, a browser window is automatically opened with the captive portal page presented.

Overview

What it Does

Using a Valid SSL Certificate for captive portal security will not completely eliminate certificate errors. If the host requests secure access using a URL such as https://www.google.com, the request will be redirected to the captive portal for FortiNAC as https. This maintains the https security level, but ultimately the certificate name will not match (the request will be for google.com and the response will be from FortiNAC's address) so there is a trust mismatch and the host will translate this to a possible hijacking attempt.

Alternately, if the host requests secure access using a URL, such as https://www.google.com, and if FortiNAC did not maintain the security level of https and returned http instead, this would lead to an encryption error because the request was https and the response was http. This general conundrum is well-established among vendors who provide captive portals. See related links in the Appendix.

The only way to avoid such errors would be to ensure the browser attempts access to FortiNAC initially. Captive portal solutions address this issue: once the host is isolated, a browser window is automatically opened with the captive portal page presented.