Hey Fabrice, I don’t think I explained correctly. The cert on PF is a valid cert from incommon/comodo. It checks out when using the mgmt gui and when being redirected to the capwap when going somewhere HTTP this works fine and has the green lock showing it’s a legit cert.
The problem becomes when a user tries to go somewhere HTTPS first. Gets redirected to Packetfence with Arubas 302 redirect and when the user hits packet fence, gets an error from the browser saying it was going to “chase.com” and got packet fence.blah.blah …. And if it’s an HSTS site like google.com or reddit.com then the browser won’t even let you through. Capwap detection from chrome or iOS didn’t seem to change the behavior, just made it annoying that they attempt to pull up their window for capwap. Disabling or enabling that capability didn’t change the result. Thanks, ~Maciej From: Durand fabrice <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Saturday, December 12, 2015 at 5:27 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [PacketFence-users] HSTS Sites and HTTPS PF Setup Hello Leja, first you will have to acquire a valid certificate for the packetfence's captive portal to avoid certicate error for self signed certificate. (https://letsencrypt.org/) Second thing, recent browser/devices are able to detect captive portal like chrome (http://clients3.google.com/generate_204 ), so before trying to go on an ssl web site the browser should present the captive portal. Regards Fabrice Le 2015-12-12 17:27, Leja, Maciej a écrit : Hello all, Our packet fence deployment is https. Not sure how rare that is but I’m seeing the following issue with clients getting redirected to PF from Aruba: When a user connects to guest wireless: 1) If he/she goes somewhere HTTP -> everything is perfect. Redirects to packet fence, gets a green lock, we’re golden. 2) If he/she goes somewhere HTTPS, two things could happen: - sites that use HSTS like google and reddit, browser will tell you you can’t go there and doesn’t even have an option to bypass. - sites that don’t use HSTS like chase for example, browser will warn you with a cert error it expected chase.com but got packet fence and you can skip the error and move on to packet fence. Aruba has told me to make PF port 80 or deal with it as this is an industry problem with the certs, which makes sense. I was just curious are all of you (in this scenario) just dealing with the potential of tickets/ yelling from users who had no idea they have to go to an HTTP site to be redirected properly? Being at a university, I fear we will get a lot of tickets, especially since google.com will simply fail and not let you through. Thanks! ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]>https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
