Reset Search
 

 

Article

WiNG Captive Portal redirection HTTP Invalid certificate

« Go Back

Information

 
TitleWiNG Captive Portal redirection HTTP Invalid certificate
Symptoms
  • If the user visits an HTTP site, they are immediately redirected to the captive portal. (This works regardless of browser).
  • If the user visits an HTTPS site that does not use HSTS, they receive a warning.
    • If user clicks "Continue" they are redirected to the captive portal. (This works regardless of browser)
  • If the user visits an HTTPS site that uses HSTS and they are using a browser that supports HSTS they are unable to get to CP page.
    • The only way to get redirected to the captive portal is to visit a that does not support HSTS site.


 
Environment
WiNG controller and AP configured for captive portal
Cause
Websites that use HTTP Strict Transport Security(HSTS) will not allow HTTPS redirect. 
Client browser getting following HSTS error for websites like youtube.com, facebook.com
Error Code: DLG_FLAGS_INVALID_CA
DLG_FLAGS_SEC_CERT_CN_INVALID

Note:
Google recently started to implement this and will prompt a RED Stop page that does not allow the user to proceed forward. 
Resolution
Captive portal configured for HTTP and using default self signed certificate.
Configure captive portal for HTTPS and import trusted certificate into AP and controller where applicable.
Additional notes
The redirection will result in a security warning from most modern browsers because the original HTTPS request has been redirected to either an insecure open portal or to an HTTPS portal that is using a different SSL cert than the original request. 
If the user selects continue after the warning, the Guest Portal will come up so that they can sign into the network.

Websites that use HTTP Strict Transport Security(HSTS) will not allow HTTPS redirect. 

HSTS:
A server implements an HSTS policy by supplying a header over an HTTPS connection (HSTS headers over HTTP are ignored). 
For example, a server could send a header such that future requests to the domain for the next year (max-age is specified in seconds, 31536000 is approximately one year) use only HTTPS: Strict-Transport-Security: max-age=31536000; includeSubDomains;. 

When a web application issues HSTS Policy to user agents, conformant user agents behave as follows: 
Automatically turn any insecure links referencing the web application into secure links. 
For instance, http://example.com/some/page/ will be modified to https://example.com/some/page/ before accessing the server.) 
If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted), show an error message and do not allow the user to access the web application. 
The HSTS Policy helps protect web application users against some passive (eavesdropping) and active network attacks. 
A man-in-the-middle attacker has a greatly reduced ability to intercept requests and responses between a user and a web application server while the user's browser has HSTS Policy in effect for that web application.

More info: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255