Captive portal and HTTPS problems

  • 4
  • Question
  • Updated 6 months ago
We are setting up the Cloudpath captive portal and ran into one issue. When a user with a personal device wants to get on our network, the steps are straight forward:
  • User joins our wide open guest network
  • They launch a web browser and hit the Cloudpath captive portal
  • They are led through the process of securely on-boarding their device
Two issues, the second one more serious
  1. If the first page a person hits on their web browser is HTTPS, the get a cert error. If they click continue, they are at the captive portal
  2. If the first page a person hits on their web browser is HTTPS and HSTS, they just get an error message, they never get the Cloudpath screen
I never heard of HSTS until today
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Every Google site uses HSTS and of course many people have their home page for their web browser set at https://www.google.com. Has anyone else encountered this? I do have a case open with Ruckus support. From what I read HSTS will become much more common over time
Photo of David Henderson

David Henderson

  • 90 Posts
  • 13 Reply Likes

Posted 1 year ago

  • 4
Photo of David Henderson

David Henderson

  • 90 Posts
  • 13 Reply Likes
I wrapped up the case I had with Ruckus support and here is the bottom line:
  1. If the user visits an http site, they are immediately redirected to the Cloudpath portal. This works regardless of what browser they are using
  2. If the user visits an HTTPS site that does not use HSTS, they receive a warning. If they click Continue they are redirected to the Cloudpath site. This works regardless of browser
  3. If the user visits an HTTPS site that does use HSTS and they are using the Chrome browser they are dead ended. The only way to get redirected to the Cloudpath portal is to visit a different site. Many people have https://www.google.com or facebook set as their homepage. Both of these sites use HSTS so this might confuse some users. At least with Safari on an iPhone, they get a warning but can continue and they will get redirected. Google Chrome on a laptop they are dead ended just like Google Chrome on an iPhone. My guess is Google Chrome on an Android also dead ends the user
The only hope in the long run is a new standard being developed just for captive portals
http://community.arubanetworks.com/t5/Technology-Blog/RFC-7710-Captive-Portal-Identification-Using-D...
http://www.rfc-editor.org/info/rfc7710

This issue of not being redirected to a captive portal affects every wireless vendor including Ruckus. As more and more sites uses HSTS, getting a proper redirect becomes harder. I am hoping that Ruckus is sitting on the working group for this new standard and is pushing hard to get it ratified. In the long run, if something is not done, products like Cloudpath or Aruba's Clearpass will lose their value if it becomes really tough to get a proper redirect.
Photo of ThX

ThX

  • 129 Posts
  • 2 Reply Likes
Has Ruckus commented on this topic in some public "forum?"
Photo of David Henderson

David Henderson

  • 90 Posts
  • 13 Reply Likes
Not that I know of
Photo of Shaun Van Tonder

Shaun Van Tonder

  • 24 Posts
  • 1 Reply Like
I think I maybe experiencing this issue. If somebody can confirm. Ruckus cant seem to help me.
I have purchased an ssl certificate and installed it on my Zone Director. We use captive portal with AD authentication but some users get cert errors on their mobile devices. I notice the error when the mobile device uses Chrome as the default browser. On a desktop PC i don't get the error initially but if i dont authenticate with the portal and just type in www.google.com I also get a warning error message. Someone may be intercepting traffic etc etc.. So from what I can see some devices try to skip the portal and go straight to their homepage which is https://www.google.com for example.

My thought was to redirect users to an http page but now my ruckus device redirection isnt functioning as per redirect to url after authentication in hotspot settings.. I am not sure where to go from here.. With 200 mobile devices this is a pain..
(Edited)
Photo of Abhi Maras

Abhi Maras

  • 10 Posts
  • 3 Reply Likes
Unfortunately HSTS is a standard that many of the browsers and websites are leveraging and rightly so to avoid redirecting users unknowingly which could result in loss of data for end users. But this poses a problem for captive portal redirection which are legitimate. There is not widely adopted standard right now but like identified above RFC 7710 gives is a way once it is ratified and adopted. This ofcourse affects all vendors and is not applicable only to Ruckus. There are browsers like Firefox who have implemented a 'Click here to login' or 'This network needs login' button that automatically pops up in such cases. We also do recommend using CNA as that uses a http site that does not break the redirect (Apple uses http://www.captive.apple.com)

Hi Shaun,
Can you confirm if you are using Cloudpath or if it is a ZD only question. Also are you getting the 'Certificate not signed error' or HSTS error? If it is prior, who are you using for the certificate signature? Looks like the browser does not identify the signing authority.

--
Regards
Abhi Maras
(Edited)
Photo of Shaun Van Tonder

Shaun Van Tonder

  • 24 Posts
  • 1 Reply Like

Hi.


I am using a Zone Director 1200 Series. I have acquired a certificate signed by Geotrust and also imported the intermediate certificate along with the signed certificate into the Zone Director. The login page used to give me a untrusted error for all clients and this has been solved so I am sure my import procedure was correct. I noticed the non trusted issue mainly on phones using chrome browsers to Authenticate. I was able to replicate the error on a windows 7 machine by typing www,google.com insto the browser after ignoring the captive portal login page.. Just for testing.


I have now upgraded the Zone Director to firmware:

zd1200-9-12-3-0-61

After this I strangely don't seem to get the Chrome certificate error on the laptop anymore no matter how I try. I have yet to test this on various mobile devices. Hoping for the best but we shall see. Not sure if firmware could solve this issue, it doesn't seem likely but I will see what happens.


Regards,


Shaun