I believe I have discovered a problem with the way users are captured by the MikroTik Hotspot. If the Hotspot is implemented using an SSL Certificate and only allows Hotspot Portal logins via HTTPS, any user whose Home Page or manually selected initial page is SSL protected, can receive a Certificate error in their Browser.
This seems to happen because the MikroTik Hotspot captures the session and simply returns it’s own reply. This is interpreted by some Browsers as an SSL “man in the middle” attack.
Ideally when capturing the user session instead of simply replying, the Hotspot should issue an HTTP redirect to the https://hotspot.domain/login URL.
This problem occurs on all RouterOS versions at or above v4.10, don’t know about other versions. Definitely affects FireFox, Internet Explorer seems to be more random, some users of IE8 are affected and some aren’t, so far I have been unable to identify why.
I believe our Hotspot is correctly configured, we’re using a GoDaddy SSL Cert and the intermediate Root Certs are installed on the Hotspot.
Anyone else experienced these problems and/or found a solution?
Ideally when capturing the user session instead of simply replying, the Hotspot should issue an HTTP redirect to the > https://hotspot.domain/login > URL.
That is literally impossible. The client is requesting an SSL page. The router can either answer itself, in which case it won’t have the right certificate and a warning will be generated - or it can let the request through regardless of authentication status.
Either you permit all SSL sites in the walled garden, or there’ll be errors. You can’t issue a redirect without pretending to be the site contacted.
I’ve got around the problem by inserting some extra Firewall rules. Before authentication I now only allow port 80 traffic and port 443 traffic destined for the Hotspot through, all other traffic is dropped. Probably better that a user gets a site not available message for initial HTTPS destinations rather than getting a spurious Cert Error. Hopefully users will be sensible enough to try another website if the first one fails.
Yes, this is a general problem when ik comes to hotspots, whatever you use.
I would prefer the cert. error above a site not available message, but ok, that’s personal opinion.