Hi Leja,
ok so can you try to redirect the user to the http url of the captive
portal instead of the https and keep secure redirect in packetfence.
If i remember correctly the Aruba config look like this
(http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-integrate-Aruba-Controller-with-CPPM-to-perform-Captive/ta-p/192291)
and you have to set the login page to http://packetfenceip.
So when you will try to connect on an https website the aruba will
redirect you to http://packetfenceip and packetfence will redirect you
to https://packetfence.blah.blah/captive-portal and you will not have
HSTS issue.
As i said , captive portal detection is suppose to fix this sort of issue.
Regards
Fabrice
Le 2015-12-14 16:23, Leja, Maciej a écrit :
Hey Fabrice,
I don’t think I explained correctly. The cert on PF is a valid cert
from incommon/comodo. It checks out when using the mgmt gui and when
being redirected to the capwap when going somewhere HTTP this works
fine and has the green lock showing it’s a legit cert.
The problem becomes when a user tries to go somewhere HTTPS first.
Gets redirected to Packetfence with Arubas 302 redirect and when the
user hits packet fence, gets an error from the browser saying it was
going to “chase.com” and got packet fence.blah.blah …. And if it’s an
HSTS site like google.com or reddit.com then the browser won’t even
let you through.
Capwap detection from chrome or iOS didn’t seem to change the
behavior, just made it annoying that they attempt to pull up their
window for capwap. Disabling or enabling that capability didn’t change
the result.
Thanks,
~Maciej
From: Durand fabrice <[email protected] <mailto:[email protected]>>
Reply-To: "[email protected]
<mailto:[email protected]>"
<[email protected]
<mailto:[email protected]>>
Date: Saturday, December 12, 2015 at 5:27 PM
To: "[email protected]
<mailto:[email protected]>"
<[email protected]
<mailto:[email protected]>>
Subject: Re: [PacketFence-users] HSTS Sites and HTTPS PF Setup
Hello Leja,
first you will have to acquire a valid certificate for the
packetfence's captive portal to avoid certicate error for self signed
certificate. (https://letsencrypt.org/)
Second thing, recent browser/devices are able to detect captive portal
like chrome (http://clients3.google.com/generate_204 ), so before
trying to go on an ssl web site the browser should present the captive
portal.
Regards
Fabrice
Le 2015-12-12 17:27, Leja, Maciej a écrit :
Hello all,
Our packet fence deployment is https. Not sure how rare that is but
I’m seeing the following issue with clients getting redirected to PF
from Aruba:
When a user connects to guest wireless:
1)If he/she goes somewhere HTTP -> everything is perfect. Redirects
to packet fence, gets a green lock, we’re golden.
2) If he/she goes somewhere HTTPS, two things could happen:
- sites that use HSTS like google and reddit, browser will tell you
you can’t go there and doesn’t even have an option to bypass.
- sites that don’t use HSTS like chase for example, browser
will warn you with a cert error it expected chase.com but got packet
fence and you can skip the error and move on to packet fence.
Aruba has told me to make PF port 80 or deal with it as this is an
industry problem with the certs, which makes sense. I was just
curious are all of you (in this scenario) just dealing with the
potential of tickets/ yelling from users who had no idea they have to
go to an HTTP site to be redirected properly? Being at a university,
I fear we will get a lot of tickets, especially since google.com will
simply fail and not let you through.
Thanks!
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
