Hi guys,

I have setup a hotspot service using the Mikrotik Router as a service controler and an external access point. the user experience i was expecting is:
1) the user associate with tu SSID broadcasted by the AP
2) the user open a browser and tries to get to internet by entering a URL
3) the user is redirected to the login page hosted in Mikrotik
4) the user enters his login/pwd and is authenticated against a radius server

the issue i have is:
in step 2, if users enter an http url then everything works fine. However, in case they enter an https URL then they get a browser error saying: "the connection was reset, the connection to the server was reset while the page was loading......".

as far as i know, in case of SSL issue we get a warning from the browser saying "this site is not trusted.......if you want to continue click OK" so i was wondering if installing an SSL certificate will solve the issue.

Did someone have an idea about this issue?

Thanks

Hi guys,

I have setup a hotspot service using the Mikrotik Router as a service controler and an external access point. the user experience i was expecting is:
1) the user associate with tu SSID broadcasted by the AP
2) the user open a browser and tries to get to internet by entering a URL
3) the user is redirected to the login page hosted in Mikrotik
4) the user enters his login/pwd and is authenticated against a radius server

the issue i have is:
in step 2, if users enter an http url then everything works fine. However, in case they enter an https URL then they get a browser error saying: "the connection was reset, the connection to the server was reset while the page was loading......".

as far as i know, in case of SSL issue we get a warning from the browser saying "this site is not trusted.......if you want to continue click OK" so i was wondering if installing an SSL certificate will solve the issue.

Did someone have an idea about this issue?

Thanks

1) assign one dns name to your hotspot, like hs.myservice.net

2) Buy one certificate here:
http://it.godaddy.com/ssl/ssl-certificates.aspx

3) set the hotspot to use your certificate

Thank you Rextended for your answer,

can i use a self signed certificate for testing before buying a real one?

Thank you Rextended for your answer,

can i use a self signed certificate for testing before buying a real one?

Yes. You can generate in linux and upload to routerOS.

But everytime the device than connect to hotspot complain about unsigned - untrusted certificates, displayng warning messages, because your own cert, are not autorized by root certificates...

But everytime the device than connect to hotspot complain about unsigned - untrusted certificates, displayng warning messages, because your own cert, are not autorized by root certificates...

as he say:

can i use a self signed certificate for testing before buying a real one?

But everytime the device than connect to hotspot complain about unsigned - untrusted certificates, displayng warning messages, because your own cert, are not autorized by root certificates...

as he say:

can i use a self signed certificate for testing before buying a real one?

I complete your reply because you omit that...

as far as i know, in case of SSL issue we get a warning from the browser saying "this site is not trusted.......if you want to continue click OK" so i was wondering if installing an SSL certificate will solve the issue.

If user use it's own self made cert, the issue he want solve is not solved....

I'm facing same issue, I bought the Godaddy SSL Cert still get the warning page, which SSL Cert can support Mikrotik Hotspot to avoid the warning page?

This is a money issue.

For my experience in MikroTik hotspot service, not all SSL certificates works fine. it depends of the Certificate Authoroty. There ara Level 1 to Level 3 or more.
CA Level 1 (wellknown companies such as verysign, GeoTrust...) certificates are in almost all user devices. There is CA certificate and your own signed certificate.

In a CA level 3, you have to upload to mikrotik the CA Level and CA level 2 certificate and you own signed certificate. This process are a little mess for the user devices.

CA level 1 is expensive and CA level 3 is cheaper.

Briefly, this is the reason: how well-known your Ca is.



If you like, karma+

I don't understand.

In my case, I have the default login.html of Mikrotik.

If the customers navigate to any https web (google for example) , the Mikrotik not redirecto to login.html, but if the customer navigate to any http, the Mikrotik redirect to login page.

Why to put a certificate https? that domain? I have not a domain.

The solution is to buy a certificate?

I followed all the steps correctly

1) assign one dns name to your hotspot, like hs.myservice.net
2) Buy one certificate froma trusted certificator.
3) set the hotspot to use your certificate.

My login page is https now, and works fine, the certicicate is correct.

I type in the browser: http://www.google.com and redirect to login page fine:



But if type https://www.google.com or type "blabla" in the address browser (IE, Firefox, Chrome), the browser show a error, with messages of hackers and warnings because the certification is not correct.



Why put my certicate for google?

That error is usual and you can't avoid it! From the technical view a man in the middle attack is happening.

When you type https://google.com into you browser
1. It resolves google.com into an IP. Lets say it's 203.0.113.57.
2. The browser connect to TCP port 443 on 203.0.113.57.
3. The RouterOS system redirect this connection to its Hotspot system.
4. Browser and Hotspot are doing the SSL handshake. This includes that the hostspot is sending its certificate.
5. The browser sill "thinks" it connects to google.com. But as the browser has received a certificate which is for your hotspot and NOT for google.com it shows a warning.

Everything is working as is should.

OK! you mentioned that you are entering the url but redirected to the login page i don't know whether you have entered many url to identify the exact problem. Also when entering url it shows 'the connection was reset' so You may do DNS look up to know the consumption of packet data after you find the same error then check with your internet service provider through the website http://www.whoisxy.com/ where i checked previously.