Captive Web Portal and Certificate Warning

  • 1
  • Question
  • Updated 2 years ago
Hey guys,

We're working on a project where we need to deploy Purple Wifi onto Aerohive devices. Everything was running smoothly until we encountered anything HTTPS.

When a HTTPs request is called, all the browsers we have tested on throw this error:

NET::ERR_CERT_AUTHORITY_INVALID

We are assuming that the CA that the access point is providing is invalid and therefore throwing off the SSL authentication.

We have set the Certificate to the "DefaultCWPCert"

Any tips here on what we can do to get Https to work?

Also, is there a way to prompt the user with the CWP as soon as they select the Guest Wifi SSID ?
Photo of Mouhamed

Mouhamed

  • 9 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Mouhamed,

You ideally and realistically need to get hold of a valid certificate from a commercial CA.

That will be derive from a root certificate which is in the trust store of Web browsers so you will not see this error.

The certificate must be for a domain or subdomain of a domain that you own/control, and you must use this domain for the CWP.

You are fine with a Domain Validation (DV) certificate and do not need to get hold of an Organisation Validation (OV) or Extended Validation (EV) certificate.

Prompting automatically for a CWP requires out-of-band detection of the CWP by the device in question via its probing and is not something that you can configure.

(In the past, changes in HiveOS have made internally to make the CWP play nicer with Apple device and better trigger such detection. As a general rule, make sure the version of HiveOS that you are using is up-to-date therefore to pick up this type of change as-and-when they are made.)

Regards,

Nick
(Edited)
Photo of Mouhamed

Mouhamed

  • 9 Posts
  • 0 Reply Likes
Thanks Nick.

We have a commercial certificate - however this is different from the 3rd Party CWP as we are using PurpleWifi.

Would any certificate/CA work?
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Ah, your clarification explains all! You cannot securely/reliably and should not attempt to intercept HTTPS. CWPs should only ever attempt to intercept HTTP.

You will always get an error message where a user attempts to navigate to a different domain to the one presented in the certificate or where the root isn't in the trust store... so, you would have to modify a client's trust store, which you should only ever consider for devices owned and maintained by-and-for a company. This is key and fundamental to how HTTPS works with TLS to protect us all from MITM.

Google and Facebook no longer give you the option to bypass this error message for their web services in Chrome or Firefox because of public key pinning and HSTS preloading, both security hardening features.
(Edited)
Photo of Mouhamed

Mouhamed

  • 9 Posts
  • 0 Reply Likes
Dang - so is it not possible to use Social login on the AeroHive devices?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
It is possible to use social login with Aerohive devices with Aerohive's own offering. I suspect, prima facie, that full exemption or partial exemption from the CWP would be needed for Facebook and Twitter's domains to allow a social login to work so that traffic can go straight through.
(Edited)
Photo of Mouhamed

Mouhamed

  • 9 Posts
  • 0 Reply Likes
Thanks for your help.
That's a real shame as we were looking forward to using Purple.

I was looking at the guides for AH Social Login, however I can't see the option to enable Social Login where the guide suggests:


We're running hive manager 6.4r1

Any help here?