Announcement

Collapse
No announcement yet.

Steps to enable certificates for Captive Portal / Guest Devices

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Steps to enable certificates for Captive Portal / Guest Devices

    So I've set-up all devices that connect to our Guest Wi-Fi (VLAN) being re-directed to a Captive Portal page but upon testing (using an iPad with Safari) get an error message that references that the certificate for the server is invalid / cannot establish a secure connection. I get that this is due to certificates but having read the wiki and viewed the Configuration / Administration / Certificates tab remain unsure what, specifically, to do. Any advice for a novice on how to address?

  • #2
    It's very likely because the capture page is injected into the traffic stream. Your browser expected to get google.com (or whatever) and instead has an unknown response from the NG Firewall. It might be helpful to ensure the NG Firewall's server certificate is up to date; refer to this article for what to look for and how to fix it: Regenerating the SSL Server Certificate on NG Firewall. That could conceivably solve the problem on its own.

    If it doesn't — or if there are no 'missing' entries in the Server Verification pane — you can try installing the NG Firewall's root certificate authority to your test device. Download the certificate from Config > Administration > Certificates and install it wherever is appropriate to your test device. I don't have an iOS device to verify this, but I believe this article is what you want for your iPad: https://support.apple.com/en-us/HT204477
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

    Comment


    • #3
      Originally posted by gravenscroft View Post
      It's very likely because the capture page is injected into the traffic stream. Your browser expected to get google.com (or whatever) and instead has an unknown response from the NG Firewall. It might be helpful to ensure the NG Firewall's server certificate is up to date; refer to this article for what to look for and how to fix it: Regenerating the SSL Server Certificate on NG Firewall. That could conceivably solve the problem on its own.
      Newbie question: There appears to be a valid certificate but I'll give this a go. How, though, do I fill out the "Generate Server Certificate" information? Can I use the same details as per the web-site (US, California, Sunnyvale etc.) or should I be filling this out to be unique to my situation and location?

      Originally posted by gravenscroft View Post
      If it doesn't — or if there are no 'missing' entries in the Server Verification pane — you can try installing the NG Firewall's root certificate authority to your test device. Download the certificate from Config > Administration > Certificates and install it wherever is appropriate to your test device. I don't have an iOS device to verify this, but I believe this article is what you want for your iPad: https://support.apple.com/en-us/HT204477

      I don't understand this idea as it seems odd to have to install a certificate on an end device for the device to have access to a guest network. What am I missing?

      Comment


      • #4
        Originally posted by zepher View Post
        Newbie question: There appears to be a valid certificate but I'll give this a go.
        Whether or not a certificate is valid relates to four things:

        1. The trust chain of the certificate (does your system trust this cert or its root?)
        2. The lifetime of the certificate (has it expired)?
        3. The subject of the certificate (is it scoped to apply to this item?)
        4. (Optional)]Acceptance from protected item (does the item pin or limit itself to specific certificate issuers?)

        When you say it appears to be a valid certificate, you're likely only looking at 1 & 2. The certificate issued to Untangle is not likely to match the "google.com" domain (#3), for example, and if it did Google's HSTS rules probably don't allow Untangle's CA (#4).


        Originally posted by zepher View Post
        I don't understand this idea as it seems odd to have to install a certificate on an end device for the device to have access to a guest network. What am I missing?
        Unfortunately, this is 100% how authenticated guest networks work. If you ever connect to a university or large corporate network they will likely have an "onboarding" process, possibly using an app like ClearPass or SecureW2 to help resolve this, but real certificate installation is a big part of that.​
        Last edited by jcoehoorn; 12-16-2022, 03:43 PM.
        Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5.2 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

        Comment


        • #5
          Originally posted by jcoehoorn View Post
          Whether or not a certificate is valid relates to four things:

          1. The trust chain of the certificate (does your system trust this cert or its root?)
          2. The lifetime of the certificate (has it expired)?
          3. The subject of the certificate (is it scoped to apply to this item?)
          4. (Optional)]Acceptance from protected item (does the item pin or limit itself to specific certificate issuers?)

          When you say it appears to be a valid certificate, you're likely only looking at 1 & 2. The certificate issued to Untangle is not likely to match the "google.com" domain (#3), for example, and if it did Google's HSTS rules probably don't allow Untangle's CA (#4).​
          So how do I got about creating a valid certificate that just allows me to push out the captive portal page to guest users?


          Originally posted by jcoehoorn View Post

          Unfortunately, this is 100% how authenticated guest networks work. If you ever connect to a university or large corporate network they will likely have an "onboarding" process, possibly using an app like ClearPass or SecureW2 to help resolve this, but real certificate installation is a big part of that.​

          Got it. Much appreciated.




          Comment


          • #6
            Originally posted by zepher View Post
            So how do I got about creating a valid certificate that just allows me to push out the captive portal page to guest users?
            You have to buy one from a certificate authority that has done the work to already be included in the various OS and browser trusted root stores. IdenTrust, DigiCert, LetEncrypt, GoDaddy, etc.

            But even this is not enough. Users will still see certificate warnings. If they visit, say, Google.com, no trusted CA will let you purchase a certificate that matches that Google.com name (see item #3: the subject of the certficate). It's still better than nothing, though, as a lot of initial requests are not encrypted (user types google.com into their address bar, it visits and unecrypted version first, and in this case your captive redirect can complete without warnings).

            Its one of the reasons some public wifi providers are no longer doing the captive portal thing.
            Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5.2 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

            Comment

            Working...
            X