Repalcing CP IP address with a FQDN

yaman.amin

Hi Buddies ,
again to the topic of replacing the captive portal Ip address with a FQDN .

i used startssl to get a root, intermediate and CA certificates . and i could replace the Ip adress of captive portal with a FQDN. and when i open the browswer for the first time , the login page comes automatically and everything works fine .

But i still have a problem:
if i by my self called the fqdn assigned to the captive portal login page for example i type in the browser wifi.yaman.com , then he ask me to trust the certificate. (this case i dont like to have )
on the other hand if i add the port manually wifi.yaman.com:8003 , then the login page comes without askng me to trust the certificate . but the problem in this case : after i write the username and password , i get online , but the browser still on the captive portal page , it doesnt continue redirecting. so the user will feel that he doesnt accessed untill he tries to call another web site, then he will realize that he is now online.

any suggestions????

What i did exactly:
1- genertae the Certificates by startssl.
2- add the certificates to Cert manager.
3- disable DNS resover.
4- enable dns Forwarder
5- mapping the IP address of the captive portal to the fqdn. in the dns forwarder.
on captive portal settings : i enabled https login and i assigned the HTTPS server and certificate name.
is there anything left to do.
note my dns servers is the same pfsense software , i dont have external dns server

1.jpg_thumb
3.jpg_thumb
2.jpg_thumb

muswellhillbilly

Once authenticated, the captive portal directs the user to whichever site the user was trying to get to prior to authenticating. If the user in this instance is navigating to the login page, then that's where the captive portal will direct the user to after successfully authenticating.

You might find it better to put a re-direction after authentication, so the user is taken out of the login page. In your captive portal configuration, enter an external URL (eg: https://www.google.com) in the field marked 'After authentication redirection URL'. Or, perhaps more appropriately, you can use your company site as the redirection URL.

Gertjan

@yaman.amin:

i used startssl to get a root, intermediate and CA certificates . and i could replace the Ip adress of captive portal with a FQDN. and when i open the browswer for the first time , …..

and the brower doesn't shows some 'local' page but a page from the Internet, by preference a http://…. site (not a https:// !!),
then
@yaman.amin:

the login page comes automatically and everything works fine .

Good your, portal is redirecting to the login page, you login, and then it redirects you to the original page the browser was asking for.

All good then :)

@yaman.amin:

But i still have a problem:
if i by my self called the fqdn assigned to the captive portal login page for example i type in the browser wifi.yaman.com , then he ask me to trust the certificate. (this case i dont like to have )
on the other hand if i add the port manually wifi.yaman.com:8003 , then the login page comes without askng me to trust the certificate . but the problem in this case : after i write the username and password , i get online , but the browser still on the captive portal page , it doesnt continue redirecting. so the user will feel that he doesnt accessed untill he tries to call another web site, then he will realize that he is now online.

The first part : read https://forum.pfsense.org/index.php?topic=63791.0 again (the part about how to assemble and install certificates.
Somethings is very wrong.

See my 'images' - compare them with yours.

The second part. As said, no one should surf to the login page page by using its address, because visitors wouldn'r know what this address is anyway.
But IF you type that URL, then you get redirected to …. that (the login page) URL when you are logged in.
So, that is good (but you are misusing the portal ;)).

@yaman.amin:

any suggestions????
What i did exactly:
1- genertae the Certificates by startssl.
2- add the certificates to Cert manager.

See the link I mentionned about how to do so.
@yaman.amin:

3- disable DNS resover.
4- enable dns Forwarder

I did the other way around …. I like to use the DNS server that pfsense offers.

@yaman.amin:

5- mapping the IP address of the captive portal to the fqdn. in the dns forwarder.

See image 3.
One question : strange IP ….. 192.168.75.3 .... why not 192.168.2.1 (for the first IP on the first OPT1 interface) or 192.168.75.1 .... I don't get the "3" here.

@yaman.amin:

note my dns servers is the same pfsense software , i dont have external dns server

You're sure ?
The "DNS forwarder" sends DNS request from clients 'away' to be handle outside of your network.

edit: about my Certificats image :
THe first self-signed certificate is the one pfSEnse makes when he boots the first time.
It's the one that will be used when you use the https login into the web GUI. It self seigned, that no problem, the warning will be understood by the admin …. Note : I'm NOT using this certificate now, because :
The second certificate is a startssl isgned one, that I use to acces the web GUI .... (I installed it just to train myself ..... ;))
The third one is the actual startssl signed certificate that I use for my portal https access. This works for years now like this - I'm running this setup in a a place loaded with network expert people : a hotel. The 'clients' never complain : Internet access by portal access works ..... (if not, they WOULD yell).

CAs.png_thumb

Certificats.png_thumb

DNSResolverOverrides.png_thumb

yaman.amin

Thanks a lot Gertjan,
actually i already read your tutorial post in 2013 , before i start setting the certificates . but it seems that the procedure in startssl.com changed somehow , it is not exactly as you explained that time . for example when apply for a certifictate wrote , that you have first to write a PSK , then the CSR ,….
now startssl directly asks you to submit the csr directly ,that means you must prepare your csr and generate your private key alone using openssl for example , then you submit the csr .
i got confused , that after you submit the csr , they offer you two options one of them if you want to support the PKI system, if you choose it then startssl will ask you to write a PSK (which PSK should i give , the one i used by openssl when i genertaed my private key , or a new PSK??) and then they will generate a private key. So i got confused which private key i have to use: the one i generated by openssl or a different one ? taking in consideration my csr request has been signed by the private key i genertaed by openssl

what i did exactly:
1- generate private key:#openssl genrsa -aes128 -out key.key 2048
2-generate csr request:#openssl req -new -key key.key -out certificate.csr
3- i copy the contect of certificate.csr to the startssl.com (csr field)
4- (should i choose PKI system or not in the bottom of the page ?) i got confused here
5- generate the certificate he sent me three certificates:root , intermediate and CA.

i noticed in your images he classified the issuer as Root+intermediate+... that is not the case in my certificates.
another question when you generate the CSR which information you have to include: i just included my domain name and the Country is there anything else? i will send you some images tomorrow. if you access the startssl.com now you will see what i mean.

6- on Pfsense i applied under CAs leaf : first the root , second the intermediate: her there is an optional field if you want to paste the private key as well . again the question , which private key the one of openssl or the one of PKI in openssl?

as you see there is some confused points need to be clarified .