certificat captive web portal

  • 1
  • Question
  • Updated 4 years ago
  • Answered
Hello Aerohive Champs

We recently installed a Aerohive solution using the captive web portal. We receives complaints from users who get forwarded to the CWP by https and receive the message of untrusted source. This we want to resolve, so, is there a correct procedure to configure a CWP certificate for https traffic? Can we use the same certificat that we created for the RADIUS AP? If not, what IP or Domain name do we have to use for the CWP? We are using Hive Manager Online.
Thx for the great responses!!!
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hans,

There is no correct way to configure a CWP to intercept traffic that is destined for a HTTPS URL. Conceptually, were it possible to do so without triggering a browser warning about a lack of a certificate or an untrusted certificate, it would be massive security flaw in the Web browser that would undermine much of the very purpose of HTTPS.

To resolve the issue therefore, many modern operating systems have sidestepped the issue by adding CWP detection which they display to a user in an out-of-band way. The trick therefore is to ensure that you trigger these where they are supported.

Where they are not supported, there is absolutely nothing that you can or should do that does not undermine the trust and security model in some way.

An alternative approach is to ensure that you do not use a CWP by making use of 802.1X or PPSKs instead.

Nick
(Edited)
Photo of Ronald Moore

Ronald Moore

  • 16 Posts
  • 5 Reply Likes
Hans,

As Nick suggested you are better off with 802.1x or using a PSK for authentication. We had a CWP for our student network which gave us nothing but trouble. The biggest issue is when you use a secure CWP since most operating systems do not detect a CWP redirect correctly. You will get a certificate mismatch if you initial page load is going to a secure page like https://google.com.  This causes most browsers to block you from proceeding to the redirect. We finally dropped the CWP and moved to 802.1x which has been running great with no issues. 

Ron

Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Hi Experts, thx for the reply. What about best practive for BYOD and 802.1x? Did you forseen a 3th party certificate for this?
Photo of Ronald Moore

Ronald Moore

  • 16 Posts
  • 5 Reply Likes
Hans,

Yes, if you want to avoid issues with certs you are better off getting a real cert from a third party like digicert. Just make sure you do not use a wild card cert as they rarely work with 802.1x. As far as the setup is concerned I had a call with Aerohive Engineer Jason which walked me though the complete setup along with showing best practices as we went. We have been running it for about 6 months now and the "I cannot get connected to the Wifi" calls have dropped significantly. 

Ron
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Thx Ronald, do you have a procedure for this? What is not clear to me is how I build the certificat, and mainley, what do I use as common name at srv certificate for the RADIUS AP? We also have a backup RADIUS AP, how do we use the same certificate for this?

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hans, my suggestion would be to use a certificate/certificates with the CN set to that of your domain and with an individual SAN entry set to this too. I understand that DigiCert always do this for you.

I would not recommend using/exposing the server names of your RADIUS servers to supplicants, especially where you are using a commercial CA. This is really a private implementation detail and complicates configuring supplicants correctly to validate the server certificate(s) as you have to list each possible CN.

You can use either the same certificate across your RADIUS servers or individual certificates issued for the same domain.

(Individual certificates can sometimes be useful as you can then easily identify which RADIUS server handled the request at the client if you ever need to by inspecting the details of the server certificate.)

For 802.1X, all you need are standard Web server certificates, but, whoever you go with, I always recommend going with a Class 2 (user/organisation validated) rather than Class 1 (only domain validated) certificate. This is not required, but it does give greater assurance to anybody who knows to look for this.

(As a side note, I actually would love to see Web browsers and supplicants pay attention to this distinction in a user actionable way where a commercial CA is used.)
(Edited)
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Nick, thx for the reply.

So I rather use the external domein of the school? The have an internal .local domain also. The RADIUS AP is offcours an object at the internal domain.

Thx!!
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I would use the external domain of the school, yes.

That is without a www.
(Edited)
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Nick

Ok, so we use just the external domein name, not the FQDN of the specific AP.

Thx a lot!!

I keep you updated about the result.

Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Nick

Ok, so we use just the external domein name, not the FQDN of the specific AP.

Last consideration, we use Hivemanager Online (not an internal appliance), so the domein name we use for the certificat will not be used for the hivemanager, this is not a problem?

Thx a lot!!

I keep you updated about the result.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
It is not a problem. It is entirely decoupled and unrelated.
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Hello Nick

I issued a thirth party certificat by Go Daddy, I converted the crt files to pem files and imported the certificates (there is a bundle what I believe is the CA certificate and the other is the srv certificate). When I choose the certificates at the Radius AP I receive an error "The server certificate was not issued with the specified CA certificate', do you know what could be wrong?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hans,

The error should mean exactly what it says.

Set the Authentication to TLS/PEAP

The CA Cert File should also include any intermediate CAs as well as the root.

The server certification file should be the public key for the RADIUS server.

The server key file should be the private key for the RADIUS server.

Nick
(Edited)
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Thx again Nick

I'm not an expert on certificates (lack of experience on this), I went to this site:
https://certs.godaddy.com/anonymous/repository.pki

downloaded the Class 2 root certificat and the intermediat certificat, did some testing but without result.

- CA cert File -> do I have to combine the intermediate and the root certificate and how to do it
- It's not clear for me which file is the one with the public key and wich file is the one with the private key

I really want to know more about certificate but never find real relevant information on the web or on the courses I followed, so thx for the support.





Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Which certificiate did you purchase from GoDaddy? Are you sure that it was Class 2 validated and that the root is correct therefore?

The easiest way is to use OpenSSL at the command line to get what you want when changing formats or merging things. A plain text editor can also be useful with certain file formats when unencrypted.

There are lots of tutorials on the Web.

If you can confirm the certificate that you purchased, I can sort out the files for the "CA Cert File" and "Server Certification File" for you.
(Edited)
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Hey Nick

I used openssl to convert the crt's to pem files.
I added a printscreen with detailed information about the certificat we bought. Really many thanks for the support and the knowledge sharing.


Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
So, you have purchased a Class 1 certificate that is domain validated only. This means that the root/intermediate CAs that you are using is incorrect. The type of certificate that you have only confirms domain ownership, not the organisation (legal identity). You can still use this, but you need to use the correct root and intermediate CAs.

(This is the certificate type that I think should be banned for 802.1X use where a commercial CA is used. Certificates by nature do not refer to or validate the SSID in use so having it tied to a legal entity is a good assurance property.)
(Edited)
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Nick
I note that I have to use a class 2 certificate for the future. If you look at the GoDaddy certs, wich certificates will i need (https://certs.godaddy.com/anonymous/repository.pki)?

Many thanks!
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
It looks like the path will be:

Go Daddy Class 2 Certification Authority Root Certificate - G2
gdroot-g2.crt

Go Daddy Secure Server Certificate (Intermediate Certificate) - G2
gdig2.crt
(Edited)
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Do I have to combine this two to one CA cert file?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
http://www.digicert.com/ssl-support/pem-ssl-creation.htm

Follow that applying it to DigiCert's certificates. You want to combine the two crt files to one.



(Edited)
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Nick
I created one .pem file where I included the content of gdroot -g2.crt AND gdig2.crt. So, this should be the CA certificate now?

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The CA cert file should contain these two certificates, yes.

Then just split your cert in to two files for the server cert (public) and server key (private).
(Edited)