Portal captive https
-
…..
Is it possible to have a signed certificate of a CA and use it in the CP to avoid https error?No.
You have to have a domaine name - like domaine.tld
Then a CA Authority can make you a certificate give them "domaine.tld and sub domain "portal.domaine.tld" ("portal is an example) to signed.
Use "portal.domaine.tld" as the https URL as the portal login URL.
Declare in the local DNS the portal.domaine.tld with the IP of the portal NIC.Read also (example) : https://forum.pfsense.org/index.php?topic=63791.0 for ALL the info needed.
Btw : your question is ok of course, but not related to pfSEnse, it's more general certificate knowledge (which is, I agree, heavy materiel when you start to use it).
-
Hi,
Thank you
Do I need public IP address for the CP?
Is it possible to use free domain name?Thank you.
-
It is not possible to redirect a user who tries to go to a secure site but gets redirected to your portal instead from getting a certificate error unless you control every device and install a trusted CA root on all of them. Even then there is no facility in captive portal to generate certificates like that on-the-fly.
-
Do I need public IP address for the CP?
No.
The captive portal is activated on a LAN or OPTx interface. This could not and should not be a WAN type interface (with public IP).
Never ever use public IP's on internal networks.Is it possible to use free domain name?
That's up to the certificate signer authority to decide. I guess not.
When you use things like 'https' and thus certificates, you have to face the investment of renting a domaine name. Most cost about the price a packet of cigarettes per year.
Typically, you using these :
domaine.tld (this is the one you have to rent some where - let's say 5 $ a year)
www.domaine.tld <= these, you can make as many as you want.
mail.domaine.tld
smtp.domaine.tld
pop.domaine.tld
imap.domaine.tld
for a server (VPS or bigger) on the net - if you have the usage for it.
pfsense.domaine.tld <= use this one for the certificate authority to have a certificate signed. Use "pfsense.domaine.tld" as the https URL. -
Thanks for all these answers.
My captive portal is local, not on internet.
internet <-> pfsense(captive portal) <-> client(accessing internet through pfsense)
in pfsense i can choose to set a local domain, option [general setup, dhcp, and captive portal ] it is the same than the one
which will be linked to the certificate?
Once we will be done with configurations, a existing domain name with a trusted certificate, will CP https error be avoided?
Thank you.
-
…
which will be linked to the certificate?
Once we will be done with configurations, a existing domain name with a trusted certificate, will CP https error be avoided?When you enable "https" (Enable HTTPS login) you NEED a "HTTPS server name", something like (sub domain) portal.your-domain.tld, and a valid signed certificate for that sub domain.
See https://forum.pfsense.org/index.php?topic=63791.0 for details.
Note : https://forum.pfsense.org/index.php?topic=63791.0 proposes StartSSL for free signed recognized certificates, you are free to chose another company **.**) maybe you should do so, StartSSL has some troubles right now ….
-
will CP https error be avoided?
That depends on the exact HTTPS error you are talking about.
If it is just an error because you are trying to use an HTTPS login page and don't have a certificate on the portal signed by a globally-recognized certificate authority, then yes, as long as you are not also attempting HTTPS interception and redirection.
Nothing. NOTHING. NOTHING can prevent a user from getting a certificate error if, prior to going through your portal, their browser is trying to go to https://www.google.com/ and get redirected to your portal page instead.
You have inserted yourself as an HTTPS man-in-the-middle in that case which is exactly what SSL/TLS is designed to prevent.
-
Actually, pfsense doesnt need to know the content of a https page.
Just look at the url string and see if it's https and do the redirect.I also get trouble as users love to open https://google.com as the first page.
-
You do not understand how https works.
-
Hi,
Can't we avoid https error page even with squid? it is a https intercepter if I don't mistake.
When a user open any https web site before authentication, he will be redirect to Captive Portal without certificate error. That
is what we want.
You said for that, the CP needs a valid certificate. Is it correct?
Thank you.
-
No.
Even when you have a valid (trusted authority by the/your browser the visitor uses) certificate installed on pfSense, when you (your visitors) visit https://www.facebook.com the browser will get back a nice certificate (yours, from portal pfsense) saying a lot, except that it is NOT signed for "facebook.com".
The browser of the visitor will scream !!
Don't try to look for a solution to circumvent this. It will be a pure waste of time.
(on the other hand, if yo managed to do so, you'll be in for some kind of Nobel price, because you would have broken Internet as we know it).What would work is this : try to get THE super wildcard certificate, this one : ".". THAT will work ;)
As Derelict says, first try to figure out what "https" means. really. Don't pretend, do so.
But, I have some good news for you.
Every known OS these days are "portal minded" !!
This means that this :
@Mypfsense2016:I also get trouble as users love to open https://google.com as the first page.
is a non-existing problem.
Example : when an Windows PC connects to a network using a Wifi adapter, it will throw out an hidden request to a http:// site (NON-https !!).
When the (pre-programmed) result returned is something like "Succes" the the OS will 'know' that the Wifi connections offers an open connection to the net - or, at least, requests to any destination port 80 will work.
If the results is any different, like : our pfsense portal page, that Windows WILL show on the screen a message like "More user interaction is needed" and offers the visitor, by clicking on the message show on the system tray, to open a browser that will …. => Major magic => open a browser (IE) that shows our …. captive portal page.
All this even when the default browser home page is something like https://www.google.com !
iOS device have the same functionality. When connecting, a simple browser WILL open automatically that shows our portal page.
Android stuff : I guess they do the same thing .....So : conclusion : EXCEPT if the user messed up the configuration of his device, connecting to a "wifi-captive-portal" network just works.
If it doesn't, well, then that is not YOUR problem.I can prove what I'm saying : I'm using pfSense for years now in a hotel. Our clients bring along all kind of devices. These clients do not contact me - they just connect to our guest network.
When they have "https://google.com" as the default home page, then that is NO problem at all.
It shouldn't neither be one for you neither. -
Hi,
Can't we automatically open a http page on client's browser when he connects? so he will be redirect to the CP authentication page.
Thank you.
-
No. The client browser browses to whatever it browses to. if that is http, it is http. If it is https, it is https.
Why do you think you would have such control over a client's browser? Think about that for just one or two seconds.
-
Can't we automatically open a http page on client's browser ….
You (= we ?) never ever controls a user's (the visitor !) browser !!
It's the OS (Android, iOS, Microsoft Windows, whatever, that the user (again : the visitor !) uses on his device that decides to open a 'hidden' http (not https) page somewhere on the Internet (of course a http request, a https request will NOT work to bypass portal pages, if they exist).
You have nothing to do - nothing to control - it just works ! -
Hi,
Is it possible to authenticate user from active directory in pfsense captive portal?
By user I mean username
EX: Dupont paul, his username is "dpaul".
Authenticate dpaul if CP. only with Windows server 2012 and Pfsense.
Thank you.
-
Interfacing with Microsoft products means you are entering the $ market.
So, the short answer will be 'no'. -
Yes but it is probably outside what you will get on a forum. Might try googling that. You should be able to use RADIUS to NPS there. CP doesn't support LDAP.
-
Hello everyone,
I was in hotel in France who had a portal captive with Ucopia and the redirection worked without a certificat issue.
I tested with a computer and a samsung mobile.All worked fine.
So I don't know why but Ucopia can do it… :-\
-
No it didn't.
It is simply not possible to get in the middle of an HTTPS connection and not generate a certificate error unless you can mint a certificate for the original destination signed by a CA trusted on the device. And even then you are hampered by certificate pinning, etc.
I would love to see the certificate generated by the captive portal that was presented when you tried to go to a regular, global HTTPS site and got the portal instead without a cert error being presented.