Captive Portal with external certificate

thurines

Hello

My goal is to setup an environment with a LAN, OPT1(as Guest1), OPT2(as Guest2) and WAN. I use pfsense 2.1-RC0(amd64) FreeBSD 8.3-Release-p8

Guest1–---P
F
Guest2---- S
e-------WAN
n
s
LAN--------e

The LAN should be a normal LAN and nothing special realy. But the guest networks should be setup with a captive portal each. Guest1 should be set up with a captive portal using radius authentication with MSChapv2 connected to a Windows Server 2012 NAP server for authentication against Active Directory. The Guest2 network will be setup with vochers. Both captive portals will have to use https for security. Each network segment is realy just its own VLAN and both Guest1, 2 and LAN is on the same physical wireing.

Right now Im testing with a 3 legged setup and omitting the Guest2 network and Im stuck trying to get HTTPS to work on the captive portal for the guest network.

I signed up for a free StartSSL certificate witch I learned should work with a webserver such as a captive portal. I added the StartSSL Root CA and the Intermediate CA into the Cert Manager as external CAs. Then I went under the Certificated leaf in Cert Manager and added the certificate and key I got from StartSSL. After that I added a rule for the Guest network to be able to go anywhere

FW Rule for guest:
Proto Source Port Destination Port Gateway Queue Schedule
IPv4 192.168.2.0/24 * * * * none

After that I went into DNS Forwarder under the Services menu and added a Host Overrides for hostname.domain.tld(I used the name used when I created the certificate) And set it to the IP addres of the inteface on the pfsensebox facing the guest VLAN.

When this was done I went into the settings for captive portal. Added a new captive portal and enabled it for the guest network, set the authentication to local manager(for testing purposes) and tested the setup without https and it worked niceley while I tried with the admin account. After that I changed HTTP to HTTPS and set the hostname to the same as in DNS Forwarder and set the certificate I previously added under the certificate leaf in cert manager.

When I try with these settings the Browser, in this case IE8 just spins and returns page could not be found after a while.

Does anyone have experience setting up a captive portal with a third party certificate like this? I tried to add crl.startssl.com to the allowed hostname list thinking the client might want to reach the crl list but it doesnt help. I tried to create a self signed certificate that I got working but it returns SSL error when the clients connect ofcourse. I tried to set the hostname in the DNS server instead of the DNS Forwarder but that didnt change the behavior ether. I restarted both the client on the guest network and the pfsense between configuration changes to make sure it reseted.

Could anyone point me in the right direction to get a third party cert to work in a captive portal?

/erik

mikekennedy

Are you using port 8001 instead of 8000 since you switched to https?

thurines

Thanks for your reply!

The pfsense router automaticly switches to port 8001 when I select https. Here is some new info.

My testlab resides in Virtualbox on my local machine. The wan is bridged to my nic and the LAn and GUEST is bridged to a vswitch each. to the LAN switch is a virtual server 2012 and to the GUES is a Windows 7 machine. and its the win 7 I try to get on the internet.

I made a wireshark capture on the Win7 machine and got some layer 3 checksum errors and I suspect that https gets broken because the WAN of my pfsense machine is actualy a private IP address that my workstation gets from the internal DHCP server that is then NATed in another(the production) pfsense router before it reaches the ISP.

actual topology:

Win7 – guest vswitch -- pfsnese2.1 -- LAN -- pfsense(production) -- WAN
(NAT HERE) (NAT HERE)

Is https sensitive to NAT in this way?

/erik

mikekennedy

I just setup a Captive Portal on pfsense with a start ssl cert( this is what i normally use, just rebuilt the router and didn't have it setup yet)

ID Proto Source Port Destination Port Gateway Queue Schedule Description
* * * * * * none Allow CP to Any

On the page, i am using a soft timeout of 5 mins, hard timeout of 60. The logout window is enabled with concurrent logins disabled. Local user manager is being used for testing purposes. Enable https login is checked with portal.mydomain.com in the text box.

In the HTTPS Certificate box:

–---BEGIN CERTIFICATE-----
portal.mydomain.com CERTIFICATE INFORMATION HERE
-----END CERTIFICATE-----

In the HTTPS Private key box:
-----BEGIN RSA PRIVATE KEY-----
portal.mydomain.com KEY INFORMATION HERE
-----END RSA PRIVATE KEY-----

In the HTTPS Intermediate Certificate:
-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0MjA1NDE3WjCB
jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0
YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj0PREGBiE
gFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJA
pgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVv
kvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/
ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5
xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwID
AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
VR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul
F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov
L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0
c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu
BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl
LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAIQlJPqWIbuALi0jaMU2P91ZXouHTYlfp
tVbzhUV1O+VQHwSL5qBaPucAroXQ+/8gA2TLrQLhxpFy+KNN1t7ozD+hiqLjfDen
xk+PNdb01m4Ge90h2c9W/8swIkn+iQTzheWq8ecf6HWQTd35RvdCNPdFWAwRDYSw
xtpdPvkBnufh2lWVvnQce/xNFE+sflVHfXv0pQ1JHpXo9xLBzP92piVH0PN1Nb6X
t1gW66pceG/sUzCv6gRNzKkC4/C2BBL2MLERPZBOVmTX3DxDX3M570uvh+v2/miI
RHLq0gfGabDBoYvvF0nXYbFFSF87ICHpW7LM9NfpMfULFWE7epTj69m8f5SuauNi
YpaoZHy4h/OZMn6SolK+u/hlz8nyMPyLwcKmltdfieFcNID1j0cHL7SRv7Gifl9L
WtBbnySGBVFaaQNlQ0lxxeBvlDRr9hvYqbBMflPrj0jfyjO1SPo2ShpTpjMM0InN
SRXNiTE8kMBy12VLUjWKRhFEuT2OKGWmPnmeXAhEKa2wNREuIU640ucQPl2Eg7PD
wuTSxv0JS3QJ3fGz0xk+gA2iCxnwOOfFwq/iI9th4p1cbiCJSS4jarJiwUW0n6+L
p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un
0q6Dp6jOW6c=
-----END CERTIFICATE-----

I am also using the default pages for testing.
Can you confirm the above settings and the correct intermediate certificate? Also join the captive portal network and perform a nslookup <your interface="" ip="">and a ping <your interface="" ip="">Also on the dns forwarder tab under services, I have a host override for portal.mydomain.com pointing to 10.0.0.254.

If these tests are successful, we will try again. Let me know how it goes</your></your>

thurines

Thanks alot for your post.

I have tried your suggestions however I still get the same result, the webpages just spins while displaying my hostname.domainname.tld until I get the page could not be found message. I can see that it tries on port 8001 with https and that its a redirect url from my startpage.

Sense I run pfsense 2.1 the captive portal interface looks a bit different. I added the startssl CA and Intermediate CA to the System –> Cert Manager under the CAs leaf and my certificate for the server under the Certificates tab instead of adding the certs directly under the captive portal interface sense thre is no gui where I can add this information directly under the CP interface.

Then I go to the DNS Forwarders page and add the hostname and domain as well as the IP for the local interface and make sure I can both ping and nslookup that address from the CP client on the CP network.

Then when I get to the Captive Portal interface I add a new captive portal, enable it for the local interface I want it to apply, set the settings according to your suggestion above apart from the https part where the interface has changed in 2.1. Instead are the following fields and the values that I set:

HTTPS Login: Enable https (checked)

HTTPS server name: hostname.domain.tld(a public domain that I own with a hostname set
to the same value as in the certificate and the DNS Forward page. No
public DNS point to this hostname on the internet)

SSL Certificate Dropdown menu(Select my certificate from the cert manager)

I save this and I think that the CA, Intermediate CA and my own certificate and key should be collected from the cert manager but something is still wrong.

Im going to try to install pfsense 2.03 and try your EXACT settings just to make sure there is nothing wrong with the certificate. If that works Im gonna assume that there is something wrong between the certmanager and captive portal service in pfsense 2.1 when working with external certificates sense I got this to work when using an internal certificate through the cert manager.

I will post back when I have tried this on 2.03

Oh and by the way, here are the certificates I copy paste into cert manager.

CA

Intermediate

When I paste them in the cert manager looks like this under the CAs leaf

Name Internal Issuer Certificates Destinguished Name
StartSSL CA NO self-signed 1 OU=Secure Digital Certificate Signing, O=StartCom Ltd.,
CN=StartCom Certification Authority, C=IL

Valid From: Sun, 17 Sep 2006 21:46:36 +0200
Valid Until: Wed, 17 Sep 2036 21:46:36 +0200

Name Internal Issuer Certificates Destinguished Name
StartSSL Intermediate NO CA 1 OU=Secure Digital Certificate Signing, O=StartCom Ltd.,
CN=StartCom Class 1 Primary Intermediate Server CA, C=IL

Valid From: Wed, 24 Oct 2007 22:54:17 +0200
Valid Until: Tue, 24 Oct 2017 22:54:17 +0200

And my own cert gets info accordingly, issued by StartSSL Intermediate, gets valid dates, the correct CN name etc.

/erik

thurines

Allow me to laught at myself, I did not decrypt the private key before using it in the captive portal. Now with the decrypted key it works perfect in 2.03 and Im going to go back to 2.1 and try there. When Im done with this project Im going to write a guide on how to setup the pfsense firewall with multiple captive portals authenticating to windows server 2012 radius and vochers using https with statssl cert

Thanks mikekennedy for your time and support, without it I might have lost hope a fiew days ago!

mikekennedy

No worries, sorry my explanations might not have been the clearest. Glad you got it working. Send me a pm if you have any problems, just starting to learn server 2012 myself for work.