Page 1 of 1

HotSpot Trial user pre-login https server error

Posted: Tue Mar 28, 2017 3:54 pm
by ik3umt
I have enabled trial user on the hotspot

If the user try to browse HTTP sites , the hotspot welcome page appears
It he try to browse an HTTPS site , browser says it cannot open the page because of server connection has failed.


After a regular trial login (by choosing HTTP site) then also HTTPS sites can be displayed .

Any solution to display login page the first time with HTTPS requests ?

Re: HotSpot Trial user pre-login https server error

Posted: Tue Mar 28, 2017 4:39 pm
by pukkita
There's no solution.

Hotspot uses a man-in-the-middle scheme to catch and redirect http requests.

Https protocol is designed to avoid this from happening, the device will get a warning about potential security breach.

Re: HotSpot Trial user pre-login https server error

Posted: Tue Mar 28, 2017 5:35 pm
by juliokato
try this:
https://wiki.mikrotik.com/wiki/Manual:H ... PS_example

Or purchase a valid certificate like: let's encrypt - is free but is valid for 90days and need recertificate.

Re: HotSpot Trial user pre-login https server error

Posted: Tue Mar 28, 2017 6:46 pm
by ik3umt
There's no solution.

Hotspot uses a man-in-the-middle scheme to catch and redirect http requests.

Https protocol is designed to avoid this from happening, the device will get a warning about potential security breach.
Anyway, from what I saw, once authenticated (user/pass or trial) the user is able to browse any HTTPS site, isn't it ??

A workaround could be to invite users to visit a valid HTTP site (i.e. the restaurant one) to be brought to the login page ...... :?:

P.S.
Does it matter if only trial auth has to be used ??

Re: HotSpot Trial user pre-login https server error

Posted: Fri Apr 07, 2017 10:54 am
by serthan
After SSL activated

Image
Image
img upload

Re: HotSpot Trial user pre-login https server error

Posted: Fri Apr 07, 2017 11:58 am
by pukkita
Anyway, from what I saw, once authenticated (user/pass or trial) the user is able to browse any HTTPS site, isn't it ??
Yes, once authenticated traffic is not restricted, no matter if HTTPs or whatever, no need to specify anything.
A workaround could be to invite users to visit a valid HTTP site (i.e. the restaurant one) to be brought to the login page ...... :?:
Exactly. Any HTTP request will brought up the captive portal page.

I have found that over-complicating things can be avoided by this simple approach:

- Tell the staff to advice people to browse to some simple URL; e.g. say the hotspot static DNS entry hostname is "restaurant": advice customers to just enter "restaurant" (or "wifi", or "internet", or any simple word, just make sure you create an static DNS entry so that it actually resolves to the captive portal IP)

- Put google HTTPS in walled garden. Most people will have google as home page, or will try accessing it, most times the search results will include http sites that will "catch" and redirect to the captive portal.
P.S.
Does it matter if only trial auth has to be used ??
No.

Re: HotSpot Trial user pre-login https server error

Posted: Fri Apr 07, 2017 5:00 pm
by ik3umt
I'm not experienced but, once an HTTPS request from a not yet authenticated user comes to hotspot , is it still not possible to answer back and tell the browser "reload this HTTP page" ??
Is the problem related to web browser itself when it asks for HTTPS but it receives back something different ??

Re: HotSpot Trial user pre-login https server error

Posted: Fri Apr 07, 2017 6:56 pm
by pukkita
Try it, the user will get a big bold security or threat warning.

Re: HotSpot Trial user pre-login https server error

Posted: Fri Apr 07, 2017 8:00 pm
by ik3umt
No doubt on getting back warnings, already proved....
I just want to understand where is the problem, if it is intrinsic in the browser then....yes, there is not so much to do....

Re: HotSpot Trial user pre-login https server error

Posted: Fri Apr 07, 2017 8:10 pm
by pukkita
There is no problem to fix, HTTPS is designed exactly to prevent this.