It's very likely because the capture page is injected into the traffic stream. Your browser expected to get google.com (or whatever) and instead has an unknown response from the NG Firewall. It might be helpful to ensure the NG Firewall's server certificate is up to date; refer to this article for what to look for and how to fix it: Regenerating the SSL Server Certificate on NG Firewall. That could conceivably solve the problem on its own.

If it doesn't — or if there are no 'missing' entries in the Server Verification pane — you can try installing the NG Firewall's root certificate authority to your test device. Download the certificate from Config > Administration > Certificates and install it wherever is appropriate to your test device. I don't have an iOS device to verify this, but I believe this article is what you want for your iPad: https://support.apple.com/en-us/HT204477

Newbie question: There appears to be a valid certificate but I'll give this a go. How, though, do I fill out the "Generate Server Certificate" information? Can I use the same details as per the web-site (US, California, Sunnyvale etc.) or should I be filling this out to be unique to my situation and location?

​
I don't understand this idea as it seems odd to have to install a certificate on an end device for the device to have access to a guest network. What am I missing?

Whether or not a certificate is valid relates to four things:

1. The trust chain of the certificate (does your system trust this cert or its root?)
2. The lifetime of the certificate (has it expired)?
3. The subject of the certificate (is it scoped to apply to this item?)
4. (Optional)]Acceptance from protected item (does the item pin or limit itself to specific certificate issuers?)

When you say it appears to be a valid certificate, you're likely only looking at 1 & 2. The certificate issued to Untangle is not likely to match the "google.com" domain (#3), for example, and if it did Google's HSTS rules probably don't allow Untangle's CA (#4).


​Unfortunately, this is 100% how authenticated guest networks work. If you ever connect to a university or large corporate network they will likely have an "onboarding" process, possibly using an app like ClearPass or SecureW2 to help resolve this, but real certificate installation is a big part of that.​

So how do I got about creating a valid certificate that just allows me to push out the captive portal page to guest users?


​
Got it. Much appreciated.

You have to buy one from a certificate authority that has done the work to already be included in the various OS and browser trusted root stores. IdenTrust, DigiCert, LetEncrypt, GoDaddy, etc.

But even this is not enough. Users will still see certificate warnings. If they visit, say, Google.com, no trusted CA will let you purchase a certificate that matches that Google.com name (see item #3: the subject of the certficate). It's still better than nothing, though, as a lot of initial requests are not encrypted (user types google.com into their address bar, it visits and unecrypted version first, and in this case your captive redirect can complete without warnings).

Its one of the reasons some public wifi providers are no longer doing the captive portal thing.