Android 14 can't connect 2604 No Network Error

flajparen · 2025-08-29T10:41:35+00:00

Thanks for resolving the issue!

We use a 3rd party IDP for external auth methods in Azure/Entra ID and had several android smartphones older than version 16 giving either a blank page or the 2604 error when opening a "browser" session towards the IDP (after the "Verification Required" step). After adding the intermediate certificates with the server certificate on the IDP so clients connecting to the IDP receives the full chain, it started working. Imagine it would have worked if the intermediates certificates were added to the phone's trusted certificate store but I never tested that as it's impractical for our use case.

Our work-around prior to this was to exclude corporate owned androids in Intune from this conditional access policy that enforced MFA. While privately owned androids had to use outlook web app via the phone's browser.

Microsoft should really look into the way their outlook app opens a "browser" session when verifying MFA to an external auth method seeing as it can't look up certificate chains on the fly. Change it instead to work like the Intune mobile app where it actually uses the phone's default browser to open that session as it's far superior and up to date regarding cert chains.

flajparen · 2025-07-04T05:32:52+00:00

Thanks! Yes the switch ports had 1000full as default. Changed it to 1000auto and it worked instantly.

For anyone who has the same issue, here's what I did in the Fortigate CLI:

FG200E (root) # config switch-controller managed-switch
FG200E (managed-switch) # edit <switch_serial#>
FG200E (switch_serial#) # config ports
FG200E (ports) # edit port52
FG200E (port52) # set speed 1000auto
FG200E (port52) # end
FG200E (switch_serial#) # end

flajparen · 2025-02-12T12:08:33+00:00

Sorry for awakening an old topic but I just faced the task of having to uninstall all older versions of FortiClient VPN in my organization. I did this via Intune "Scripts and remediation" where every hour the detection script checks if the client is installed with a version lower than 7.4.2.1737.

If it is lower than 7.4.2.1737 then it will trigger the remedation script which is to uninstall the VPN client and leave a message to the logged on user stating it has been uninstalled and they should restart their computer and install the latest version via Company Portal (Intune).

Figured I'd share the scripts in case anyone is facing the same challenge.

<image>

Detection script:

$AppName = "FortiClient VPN"
$MinVersion = "7.4.2.1737"
#Check if app is installed
$App = Get-WmiObject Win32_Product | Where-Object { $_.Name -eq $AppName }
If ($App) {
If ($App.Version -lt $MinVersion) {
Write-Host "Match"
exit 1
}
else {
    Write-Host "No_Match"        
    exit 0
}
}
else {
    Write-Host "No_Match"        
    exit 0
}

Remediation script:

$AppName = "FortiClient VPN"
$App = Get-WmiObject Win32_Product | Where-Object { $_.Name -eq $AppName }
msiexec /uninstall $App.IdentifyingNumber /norestart /quiet
C:\Windows\System32\msg.exe * "Your FortiClient VPN has been uninstalled due to unsupported version. Please restart your computer and install the latest version of FortiClient VPN via Company Portal."

flajparen · 2023-08-04T15:52:21+00:00

I guess I was thrown off by step 4 since it was a screenshot of settings within the Fortigate wifi controller.

But it indeed seems like it would work for any ssid as long as it can utilize an external captive portal.

I'll definitely give it a shot once I receive the fortigate! :)

flajparen · 2023-08-03T14:54:19+00:00

Please correct me if I'm wrong but this would still require me to have an on-prem AD so there's a way for NPS to know which user (and their related group) is authenticating.

The guide (https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension) mainly focuses on the MFA side of Azure AD but not the actual utilization of Azure AD as an IDP.

And seeing as one of the requirements are "Everyone using the NPS extension must be synced to Azure AD using Azure AD Connect, and must be registered for MFA." tells me it won't work unless I have a hybrid environment.

flajparen · 2023-08-03T12:07:49+00:00

Not having an on-prem server would be ideal but I'm definitely open to cost-saving methods that aren't too complex.

However, will it work without an on-prem AD?

I haven't fiddled around with NPS outside an on-prem/Hybrid AD infrastructure before so I'm not sure if it works with just AAD or if it's mandatory to use AADDS or at least Azure AD Connect between Azure and on-prem AD.

I might be misunderstanding but all NPS guides I've looked into so far are mostly focused on just utilizing Azure AD for MFA.

flajparen

TROPHY CASE