Hotspot not working with HTTPS Redirect enabled

ocgltd · February 18, 2022, 4:20am

I have a simple hotspot running, but not quite properly. If I disable HTTPS Redirect, and set SSL cert to none, in the profile then the MT intercepts browsing and shows the login page after connection - for HTTP sites only.

I created a (self signed) cert for hotspot.mydomain.com and put in on the MT, set the cert in the hotspot profile and enabled HTTPS Redirect, and then attempts to reach any site upon connection results in a “Connect To Wifi” page in chrome saying that I may be required to visit the login page. When I click the CONNECT button on the page I end up at the same page again. The address bar shows the HTTPS warning (probably that cert doesn’t match).

Why is the MT not taking the user to the login page when using HTTPS sites and enable HTTPS Redirect + set SSL cert?

My hotspot setup:

 0   name="My Hotspot" interface=vlan40-guestwifi profile=hs-test idle-timeout=5m keepalive-timeout=none login-timeout=none addresses-per-mac=unlimited proxy-status="running"

Profiles setup (with HTTPS disabled):

 0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot html-directory-override="" rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap 
     http-cookie-lifetime=3d split-user-domain=no use-radius=no 

 1   name="hs-test" hotspot-address=192.31.249.1 dns-name="hotspot.mydomain.com" html-directory=hotspot html-directory-override="" rate-limit="" http-proxy=0.0.0.0:0 smtp-server=192.31.254.25 
     login-by=http-chap,https,http-pap ssl-certificate=none https-redirect=yes split-user-domain=no use-radius=no

One big clue,if I browse to HTTPS://hotspot.mydomain.com I end up in the same loop. I think the cert/info being served by the MT is being rejected by the browser…not idea why. The cert I installed includes the private key, and the SAN is DNS:hotspot.mydomain.com

ocgltd · February 18, 2022, 2:44pm

After much experimenting it seems this issue maybe Chrome specific, and may be related to Chrome trying to detect if it’s behnd a captive portal. There are several posts with conflicting advice (eg: create DNS entries for gstatic.com that lead to private IP not in use), or (add gstatic.com to walled garden), etc.

I suspect the right solution may have changed over team - but neither one works for Chrome (the most popular mobile browser today)…so this is a big problem.

Anyone have a current working solution?

Sob · February 18, 2022, 6:36pm

You should be able to directly open https://hotspot.mydomain.com if:

it has certificate from trusted CA, then it should just work
it has self-signed certificate, then it can work if you install it as trusted on client (it’s only good for experiments, no random client will ever do it)
it has self-signed certificate, but client doesn’t have it, it should work if you tell browser to ignore non-matching certificate (if browser allows that)

But otherwise don’t have too optimistic expectations, it’s not possible to redirect https without errors. If you have https-redirect=yes, it tells hotspot to attempt same kind of MITM attack that it does with http, which will work only to the point that client will connect to your hotspot https server, but it will fail with certificate error, because you can never get trusted certificate for any random site that client wanted to connect to.

ocgltd · February 19, 2022, 3:33am

I was expecting cert errors, but the problem I didn’t expect was the MT not redirecting to the login page.

After upgrading from RoS 6.x to 7.x the problem is gone. WOw, wasted lot of time on that one