Is it possible to use guest access without ssl cert. for ZD1200 9.13.3.041 firmware?

  • 1
  • Question
  • Updated 2 weeks ago
Hi,
    I would like to know is there anyway to assign guest access with using SSL cert. Because, when I setup guest access with no authentification. I set redirect page to www.google.com. When test on guest access, the google page will show "Your connection is not private error.". The user can not browse internet.

  Is there anyway to setup guest access without ssl cert and let guest browse internet using http?

Thanks.

Best regard.

Alan
Photo of Alan Tam

Alan Tam

  • 28 Posts
  • 0 Reply Likes

Posted 3 weeks ago

  • 1
Photo of Darrel Rhodes

Darrel Rhodes, Employee

  • 37 Posts
  • 17 Reply Likes
Hi Alan,

Try setting your redirect page to a non-HTTPS page and you should see the SSL cert error go away.

Thanks,
Darrel.
Photo of Alan Tam

Alan Tam

  • 28 Posts
  • 0 Reply Likes
May I know how to do it. Currently I set redirect page to www.google.com. Because all my guest access got the error "Your connection is not private" even when they key in URL manually also saw this error. They can not browse to any website. Do I need to cli to zone director to disable HTTPS redirect? If the answer is yes, how do I cli to zd using LAN cable?

Thanks for your value reply.

Thanks.

Alan
Photo of Darrel Rhodes

Darrel Rhodes, Employee

  • 37 Posts
  • 17 Reply Likes
Hi Alan, 

Try setting your Captive Portal redirect page to a NON-HTTPS site.  There's not many of these left but I've found a list here: https://whynohttps.com/
e.g. www.espn.co.uk

This is because one of the functions of HTTPS is to alert the user if they have been forcefully redirected. 

If you are still having issues after making the change please paste an image of your guest access configuration.

Thanks,
Darrel.


Photo of pmonardo

pmonardo, Employee

  • 8 Posts
  • 3 Reply Likes
or let CNA takeover, it is on these devices for a reason to make that port 80 web request for you so that an error free experience can happen. 

To build on Darrel's point. If you are asking users to sign into a captive portal then you are asking your users to be redirected to you. Now when visiting an HTTPS website (ie. google.com, facebook.com) your browser will expect to see the proper certificate for that website but instead it is being told to go to your ZD captive portal page and the certificate does not match google.com or facebook.com that is why you get the SSL error.

1. Make sure your redirect is non-https
2. Make sure CNA works properly. this is the little popup browser you get when connecting to a WLAN that has a captive portal. 
Photo of Alan Tam

Alan Tam

  • 28 Posts
  • 0 Reply Likes
Hi pmonardo,

Can you please tell me more about CNA take over? I am just setting a normal guest access without any authentication. I am not using captive portal. Will the pop-up browser will also pop-up at mobile phone also.?

Thanks for reply.

Best regard.

Alan
Photo of Alan Tam

Alan Tam

  • 28 Posts
  • 0 Reply Likes
1. Redirect to the URL that the user intends to visit: Allows the guest user to continue to their destination without redirection.
2. Redirect to the following URL: Redirect the user to a specified web page (entered into the text box) prior to forwarding them to their destination. When guest users land on this page, they are shown the expiration time for their guest pass.

If I select the first option , can I bypass “Your connection is not private”

Thanks

Alan
Photo of pmonardo

pmonardo, Employee

  • 8 Posts
  • 3 Reply Likes
I don't understand what you are trying to do. You are setting up guest access without authentication and are not using captive portal so in that case CNA won't even apply.

Why are you trying to get them to redirect somewhere if you don't have a portal they need to process?

Have an Open SSID for your visitors where as soon as they connect, they are on the internet 
Photo of Alan Tam

Alan Tam

  • 28 Posts
  • 0 Reply Likes
My main purpose is allow visitor to access internet but can not browse our corporate network pc. If I setup open ssid, how am I going to block visitor from connect or browse our internal network. Do I need to use l3 acl to limit visitor? After setup do I need to tunnel to zone controller? If in guest access mode, they can browse internet but they can not connect to our internal network.

Any suggestion?

Thanks for reply .

Alan
Photo of Darrel Rhodes

Darrel Rhodes, Employee

  • 37 Posts
  • 17 Reply Likes
Hi Alan,
Guest access won't provide you with any network segmentation between guest users and corporate network resources, it's simply acting as access control.

Ideally you need to set guest users on a different VLAN to corporate users to provide traffic segementation.  Have a look at this support article:  https://support.ruckuswireless.com/articles/000001547

Thanks,
Darrel.

Photo of Alan Tam

Alan Tam

  • 28 Posts
  • 0 Reply Likes
Beside segmentation , can l3 acl limit user from access corporate network?
Photo of Darrel Rhodes

Darrel Rhodes, Employee

  • 37 Posts
  • 17 Reply Likes
It wouldn't be anything like as secure as VLAN separation but you can block access to corporate network resouces using an IP ACL. 

Details on how to do this are in the ZoneDirector User Guide.