C

1 Message

 • 

70 Points

Fri, Apr 23, 2021 10:10 PM

SSL Certificate Problem for our Ruckus Zonedirector

I work for an ISP which we have our own network for managing IPs for devices and whatnot.  We also provide public guess wireless Internet for an entity using our internet service.  The IP that we used for managing the Zonedirector is part of the vlan IP scheme we have set up here but the IP that we assigned the director within the network is 192.168.3.254 which falls under the 192.168.0.1 subnet.  Which also the IPs that are giving to users who connect to the free wifi.  The problem we are having is that since IOS began cracking down browsing sites that aren't secure those Apple users are having trouble gaining service from this free public wifi.  I know to obtain SSL certificate you need to have a public IP address.  So I am asking is there a way to obtain this certificate and possibly keep the same configuration we currently have or we may have to change the current setup.   Thank you for any assistance that is giving.   

Responses

eizens_putnins

399 Messages

 • 

5.1K Points

2 m ago

Certificate isn't provided to IP address. It is issued for DNS name, and you need to verify domain ownership to get certificate (this is why you usually need public address with web server on it.

Anyway,  you can get certificate for your public address and your domain, and than you just need clients to resolve ZD IP as this name.You need entry on your DNS server for it, and need clients using your DNS (as other DNS servers will not have this record.

For example, you get certificate for site name wispr.provider.com. Than you just configure network so than DHCP provides to clients your provider DNS address, and add there record that   wispr.provider.com has 192.168.3.254 IP address.

This will make your ZD page trusted by browser, as certificate will match DNS entry for site.

Of cause, even better solution would be to have ZD accessible through public IP, in this case if this IP is properly mapped to the DNS name, client can use any DNS server to get to it. Many providers allow access to any DNS servers before WISPR authentication, to avoid issues with clients with static DNS settings, but there is an exploit for this to run runnel over DNS port and access Internet bypassing WISPR  portal. 

WISPE is old, outdated and insecure solution, there are now new and better methods, which are much more secure, but they require newer equipment and more knowledge to configure, so WISPR is still used extensively.

Important Announcement