Captive Portal with external certificate



  • Hello

    My goal is to setup an environment with a LAN, OPT1(as Guest1), OPT2(as Guest2) and WAN. I use pfsense 2.1-RC0(amd64) FreeBSD 8.3-Release-p8

    Guest1–---P
                    F
    Guest2---- S
                    e-------WAN
                    n
                    s
    LAN--------e

    The LAN should be a normal LAN and nothing special realy. But the guest networks should be setup with a captive portal each. Guest1 should be set up with a captive portal using radius authentication with MSChapv2 connected to a Windows Server 2012 NAP server for authentication against Active Directory. The Guest2 network will be setup with vochers. Both captive portals will have to use https for security. Each network segment is realy just its own VLAN and both Guest1, 2 and LAN is on the same physical wireing.

    Right now Im testing with a 3 legged setup and omitting the Guest2 network and Im stuck trying to get HTTPS to work on the captive portal for the guest network.

    I signed up for a free StartSSL certificate witch I learned should work with a webserver such as a captive portal. I added the StartSSL Root CA and the Intermediate CA into the Cert Manager as external CAs. Then I went under the Certificated leaf in Cert Manager and added the certificate and key I got from StartSSL. After that I added a rule for the Guest network to be able to go anywhere

    FW Rule for guest:
    Proto  Source            Port  Destination  Port  Gateway  Queue  Schedule
    IPv4    192.168.2.0/24    *          *            *        *          none

    After that I went into DNS Forwarder under the Services menu and added a Host Overrides for hostname.domain.tld(I used the name used when I created the certificate) And set it to the IP addres of the inteface on the pfsensebox facing the guest VLAN.

    When this was done I went into the settings for captive portal. Added a new captive portal and enabled it for the guest network, set the authentication to local manager(for testing purposes) and tested the setup without https and it worked niceley while I tried with the admin account. After that I changed HTTP to HTTPS and set the hostname to the same as in DNS Forwarder and set the certificate I previously added under the certificate leaf in cert manager.

    When I try with these settings the Browser, in this case IE8 just spins and returns page could not be found after a while.

    Does anyone have experience setting up a captive portal with a third party certificate like this? I tried to add crl.startssl.com to the allowed hostname list thinking the client might want to reach the crl list but it doesnt help. I tried to create a self signed certificate that I got working but it returns SSL error when the clients connect ofcourse. I tried to set the hostname in the DNS server instead of the DNS Forwarder but that didnt change the behavior ether. I restarted both the client on the guest network and the pfsense between configuration changes to make sure it reseted.

    Could anyone point me in the right direction to get a third party cert to work in a captive portal?

    /erik



  • Are you using port 8001 instead of 8000 since you switched to https?



  • Thanks for your reply!

    The pfsense router automaticly switches to port 8001 when I select https. Here is some new info.

    My testlab resides in Virtualbox on my local machine. The wan is bridged to my nic and the LAn and GUEST is bridged to a vswitch each. to the LAN switch is a virtual server 2012 and to the GUES is a Windows 7 machine. and its the win 7 I try to get on the internet.

    I made a wireshark capture on the Win7 machine and got some layer 3 checksum errors and I suspect that https gets broken because the WAN of my pfsense machine is actualy a private IP address that my workstation gets from the internal DHCP server that is then NATed in another(the production) pfsense router before it reaches the ISP.

    actual topology:

    Win7 – guest vswitch -- pfsnese2.1 -- LAN -- pfsense(production) -- WAN
                                      (NAT HERE)              (NAT HERE)

    Is https sensitive to NAT in this way?

    /erik



  • I just setup a Captive Portal on pfsense with a start ssl cert( this is what i normally use, just rebuilt the router and didn't have it setup yet)

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
              *             *         *       *           *     *         none               Allow CP to Any

    On the page, i am using a soft timeout of 5 mins, hard timeout of 60. The logout window is enabled with concurrent logins disabled. Local user manager is being used for testing purposes. Enable https login is checked with portal.mydomain.com in the text box.

    In the HTTPS Certificate box:

    –---BEGIN CERTIFICATE-----
    portal.mydomain.com CERTIFICATE INFORMATION HERE
    -----END CERTIFICATE-----

    In the HTTPS Private key box:
    -----BEGIN RSA PRIVATE KEY-----
    portal.mydomain.com KEY INFORMATION HERE
    -----END RSA PRIVATE KEY-----

    In the HTTPS Intermediate Certificate:
    -----BEGIN CERTIFICATE-----
    MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
    MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
    Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
    dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0MjA1NDE3WjCB
    jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
    IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0
    YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB
    IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj0PREGBiE
    gFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJA
    pgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVv
    kvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/
    ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5
    xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwID
    AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
    VR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul
    F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov
    L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
    YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3
    dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0
    c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu
    BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
    BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl
    LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAIQlJPqWIbuALi0jaMU2P91ZXouHTYlfp
    tVbzhUV1O+VQHwSL5qBaPucAroXQ+/8gA2TLrQLhxpFy+KNN1t7ozD+hiqLjfDen
    xk+PNdb01m4Ge90h2c9W/8swIkn+iQTzheWq8ecf6HWQTd35RvdCNPdFWAwRDYSw
    xtpdPvkBnufh2lWVvnQce/xNFE+sflVHfXv0pQ1JHpXo9xLBzP92piVH0PN1Nb6X
    t1gW66pceG/sUzCv6gRNzKkC4/C2BBL2MLERPZBOVmTX3DxDX3M570uvh+v2/miI
    RHLq0gfGabDBoYvvF0nXYbFFSF87ICHpW7LM9NfpMfULFWE7epTj69m8f5SuauNi
    YpaoZHy4h/OZMn6SolK+u/hlz8nyMPyLwcKmltdfieFcNID1j0cHL7SRv7Gifl9L
    WtBbnySGBVFaaQNlQ0lxxeBvlDRr9hvYqbBMflPrj0jfyjO1SPo2ShpTpjMM0InN
    SRXNiTE8kMBy12VLUjWKRhFEuT2OKGWmPnmeXAhEKa2wNREuIU640ucQPl2Eg7PD
    wuTSxv0JS3QJ3fGz0xk+gA2iCxnwOOfFwq/iI9th4p1cbiCJSS4jarJiwUW0n6+L
    p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un
    0q6Dp6jOW6c=
    -----END CERTIFICATE-----

    I am also using the default pages for testing.
    Can you confirm the above settings and the correct intermediate certificate? Also join the captive portal network and perform a nslookup <your interface="" ip="">and a ping <your interface="" ip="">Also on the dns forwarder tab under services, I have a host override for portal.mydomain.com pointing to 10.0.0.254.

    If these tests are successful, we will try again. Let me know how it goes</your></your>



  • Thanks alot for your post.

    I have tried your suggestions however I still get the same result, the webpages just spins while displaying my hostname.domainname.tld until I get the page could not be found message. I can see that it tries on port 8001 with https and that its a redirect url from my startpage.

    Sense I run pfsense 2.1 the captive portal interface looks a bit different. I added the startssl CA and Intermediate CA to the System –> Cert Manager under the CAs leaf and my certificate for the server under the Certificates tab instead of adding the certs directly under the captive portal interface sense thre is no gui where I can add this information directly under the CP interface.

    Then I go to the DNS Forwarders page and add the hostname and domain as well as the IP for the local interface and make sure I can both ping and nslookup that address from the CP client on the CP network.

    Then when I get to the Captive Portal interface I add a new captive portal, enable it for the local interface I want it to apply, set the settings according to your suggestion above apart from the https part where the interface has changed in 2.1. Instead are the following fields and the values that I set:

    HTTPS Login:                    Enable https (checked)

    HTTPS server name:          hostname.domain.tld(a public domain that I own with a hostname set
                                        to the same value as in the certificate and the DNS Forward page. No
                                        public DNS point to this hostname on the internet)

    SSL Certificate                Dropdown menu(Select my certificate from the cert manager)

    I save this and I think that the CA, Intermediate CA and my own certificate and key should be collected from the cert manager but something is still wrong.

    Im going to try to install pfsense 2.03 and try your EXACT settings just to make sure there is nothing wrong with the certificate. If that works Im gonna assume that there is something wrong between the certmanager and captive portal service in pfsense 2.1 when working with external certificates sense I got this to work when using an internal certificate through the cert manager.

    I will post back when I have tried this on 2.03

    Oh and by the way, here are the certificates I copy paste into cert manager.

    CA

    -----BEGIN CERTIFICATE-----
    MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
    MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
    Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
    dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM2WhcNMzYwOTE3MTk0NjM2WjB9
    MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
    U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
    cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA
    A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk
    pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf
    OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C
    Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT
    Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi
    HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM
    Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w
    +2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+
    Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3
    Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B
    26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID
    AQABo4ICUjCCAk4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAa4wHQYDVR0OBBYE
    FE4L7xqkQFulF2mHMMo0aEPQQa7yMGQGA1UdHwRdMFswLKAqoCiGJmh0dHA6Ly9j
    ZXJ0LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3Js
    LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFM
    BgsrBgEEAYG1NwEBATCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0
    Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFy
    dGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3Rh
    cnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlh
    YmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg
    dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFp
    bGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJ
    YIZIAYb4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNT
    TCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAgEAFmyZ
    9GYMNPXQhV59CuzaEE44HF7fpiUFS5Eyweg78T3dRAlbB0mKKctmArexmvclmAk8
    jhvh3TaHK0u7aNM5Zj2gJsfyOZEdUauCe37Vzlrk4gNXcGmXCPleWKYK34wGmkUW
    FjgKXlf2Ysd6AgXmvB618p70qSmD+LIU424oh0TDkBreOKk8rENNZEXO3SipXPJz
    ewT4F+irsfMuXGRuczE6Eri8sxHkfY+BUZo7jYn0TZNmezwD7dOaHZrzZVD1oNB1
    ny+v8OqCQ5j4aZyJecRDjkZy42Q2Eq/3JR44iZB3fsNrarnDy0RLrHiQi+fHLB5L
    EUTINFInzQpdn4XBidUaePKVEFMy3YCEZnXZtWgo+2EuvoSoOMCZEoalHmdkrQYu
    L6lwhceWD3yJZfWOQ1QOq92lgDmUYMA0yZZwLKMS9R9Ie70cfmu3nZD0Ijuu+Pwq
    yvqCUqDvr0tVk+vBtfAii6w0TiYiBKGHLHVKt+V9E9e4DGTANtLJL4YSjCMJwRuC
    O3NJo2pXh5Tl1njFmUNj403gdy3hZZlyaQQaRwnmDwFWJPsfvw55qVguucQJAX6V
    um0ABj6y6koQOdjQK/W/7HW/lwLFCRsI3FU34oH7N4RDYiDK51ZLZer+bMEkkySh
    NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14=
    -----END CERTIFICATE-----

    Intermediate

    -----BEGIN CERTIFICATE-----
    MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
    MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
    Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
    dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0MjA1NDE3WjCB
    jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
    IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0
    YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB
    IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj0PREGBiE
    gFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJA
    pgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVv
    kvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/
    ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5
    xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwID
    AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
    VR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul
    F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov
    L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
    YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3
    dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0
    c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu
    BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
    BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl
    LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAIQlJPqWIbuALi0jaMU2P91ZXouHTYlfp
    tVbzhUV1O+VQHwSL5qBaPucAroXQ+/8gA2TLrQLhxpFy+KNN1t7ozD+hiqLjfDen
    xk+PNdb01m4Ge90h2c9W/8swIkn+iQTzheWq8ecf6HWQTd35RvdCNPdFWAwRDYSw
    xtpdPvkBnufh2lWVvnQce/xNFE+sflVHfXv0pQ1JHpXo9xLBzP92piVH0PN1Nb6X
    t1gW66pceG/sUzCv6gRNzKkC4/C2BBL2MLERPZBOVmTX3DxDX3M570uvh+v2/miI
    RHLq0gfGabDBoYvvF0nXYbFFSF87ICHpW7LM9NfpMfULFWE7epTj69m8f5SuauNi
    YpaoZHy4h/OZMn6SolK+u/hlz8nyMPyLwcKmltdfieFcNID1j0cHL7SRv7Gifl9L
    WtBbnySGBVFaaQNlQ0lxxeBvlDRr9hvYqbBMflPrj0jfyjO1SPo2ShpTpjMM0InN
    SRXNiTE8kMBy12VLUjWKRhFEuT2OKGWmPnmeXAhEKa2wNREuIU640ucQPl2Eg7PD
    wuTSxv0JS3QJ3fGz0xk+gA2iCxnwOOfFwq/iI9th4p1cbiCJSS4jarJiwUW0n6+L
    p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un
    0q6Dp6jOW6c=
    -----END CERTIFICATE-----

    When I paste them in the cert manager looks like this under the CAs leaf

    Name    Internal  Issuer      Certificates    Destinguished Name
    StartSSL CA  NO  self-signed  1          OU=Secure Digital Certificate Signing, O=StartCom Ltd.,
                                                          CN=StartCom Certification Authority, C=IL

    Valid From: Sun, 17 Sep 2006 21:46:36 +0200
                                                        Valid Until: Wed, 17 Sep 2036 21:46:36 +0200

    Name    Internal  Issuer      Certificates    Destinguished Name
    StartSSL Intermediate  NO  CA  1  OU=Secure Digital Certificate Signing, O=StartCom Ltd.,
                                                  CN=StartCom Class 1 Primary Intermediate Server CA, C=IL

    Valid From: Wed, 24 Oct 2007 22:54:17 +0200
                                                    Valid Until: Tue, 24 Oct 2017 22:54:17 +0200

    And my own cert gets info accordingly, issued by StartSSL Intermediate, gets valid dates, the correct CN name etc.

    /erik



  • Allow me to laught at myself, I did not decrypt the private key before using it in the captive portal. Now with the decrypted key it works perfect in 2.03 and Im going to go back to 2.1 and try there. When Im done with this project Im going to write a guide on how to setup the pfsense firewall with multiple captive portals authenticating to windows server 2012 radius and vochers using https with statssl cert

    Thanks mikekennedy for your time and support, without it I might have lost hope a fiew days ago!



  • No worries, sorry my explanations might not have been the clearest. Glad you got it working. Send me a pm if you have any problems, just starting to learn server 2012 myself for work.


Log in to reply