Welcome Portal don't load when user open a HTTPS Website Topics about the wireless hardware

[Costa]

Dear HSNM Support Team


I have following problem.

I connect to my GUEST Network and open a browser.

When I open a HTTP Website I was redirected to the Login Page (Captive Portal)
When I open a HTTPS Website I was not redirected to the Login Page (Captive Portal)

Have you a Hint to solve the problem ?

Kind Regards

Costa

[HSNMSupport]

Hi Costa!
It is not an HSNM problem but. Not all Gateways' Hotspot services redirect SSL 443 sites. As described here http://forum.mikrotik.com/viewtopic.php?t=81683, you have to enabled, on your Mikrotik GW, the HTTPS on the Hotspot Profile and create or copy a certificate inside your Mikrotik Gateway HTTP.

More or less you should follow these steps:

1) Login into your Mikrotik GW and, from the command line (New Terminal), create a self-signed certificate with the command

/certificate add name=self-signed-certificate common-name=hotspot country=it days-valid=730 key-size=2048 locality=italy organization=hotspot state=italy trusted=yes unit=hotspot-unit subject-alt-name=DNS:yourdomain.com,IP:YourGWIP,email:yourmail@yourdomain.com key-usage=digital-signature,key-cert-sign,crl-sign;
/certificate sign self-signed-certificate ca-crl-host=YourGWIP name=hotspot ca-on-smart-card=no;

2) Go to IP/Hotspot/Server Profile, then edit the hotspot profile (generally called hsprof1), go to "Login" section and enabled the HTTPS checkbox, then on "SSL certificate" choose the certificate created at point 1)

3) On HSNM System Settings, add/configure an SSL certificate.

Now you should be able to redirect the users to the Welcome Portal also if they try to load an HTTPS site

Best regards

[Mirkos]

I followed the instructions but we get the security error which is a bad experience for the users. And it appears now at iphone users also.


Also i dont seem to find where to set the certificate in the Admin panel in HSNM platform.


Regards.

[HSNMSupport]

Hi Mirkos
If you read carefully the Mikrotik posts, you have the security error because the SSL certificate create on Mikrotik doesn't have the correct domain name, so you have to use a correct SSL certificate.
To add an SSL certificate on HSNM you have to go on HSNM System Settings; for further information on how to add a certificate on HSNM read the Administration Manual

Best regards

[Mirkos]

So in order to solve that what can we do? Do we need to get valid certificates for each of the GW routers?

Regards.

[HSNMSupport]

Hi to all.
Probably you will always have at least 1 warning message about SSL certificate; the reason is that when you type https://google.com into your browser:

1. It resolves google.com into an IP. Lets say it's 203.0.113.57.
2. The browser connect to TCP port 443 on 203.0.113.57.
3. The Mikrotik GW system redirect this connection to its Hotspot system.
4. Browser and Hotspot are doing the SSL handshake. This includes that the hostspot is sending its certificate.
5. The browser sill "thinks" it connects to google.com. But as the browser has received a certificate which is for your hotspot and NOT for google.com it shows a warning.

If you don't enable the HTTPS login on your Mikrotik GW, the user will have the error "this web page is not available" or "cannot display the webpage" etc.
To enable it you have to follow, more or less, these steps

1) Make sure to have a FQDN to use for HSNM and your GW (for example yourdomain.com)
2) Decide which FQDN use for your HSNM (for example hsnm.yourdomain.com) and for your GWs (for example hotspot.yourdomain.com)
3) Set the FQDN for the HSNM on HSNM SystemSetting "Domain Name" field
4) Request a wildcard certificate (for example for *.yourdomain.com) to a valid CA for the FQDN
5) Load the .crt file and .key file on HSNM
6) Copy the .crt file and .key file on your Mikrotik GW
7) If you have copy also the CA internediate .crt and .key file
8) Go to "new terminal" of your GW and execute this command:

/certificate import

Note: don't insert any passphrase and hit "ENTER"

9) Edit the hotspot server profile, then go to "general" tab, and for DNS name use the FQDN that you have decided to use for your GW (for example hotspot.yourdomain.com)
10) Edit the hotspot server profile, then go to "login" tab, and enable HTTPS as "login by" and choose on "SSL Certificate" the ones imported on point 8)
11) Now your Mikrotik GW is able to redirect the HTTPS website to the HSNM Welcome Portal but with the SSL certificate warning

Hope this help you    

Best regards

[Mirkos]

Hello support
Thanks for your answer and your dedication to help us.
In case we buy the certificate and apply it in our hotspot will thus generate a ssl warning?
Our main purpose is that customers get directly to login page without any perceived bad experience, like the page can't open or ssl warning.

Best regards

[HSNMSupport]

Hi
If you buy an SSL certificate for the FQDN set inside Mikrotik hotspot "DNS name" you should not have any SSL warning. There are a lot of HSNM customers that have properly configured the Mikrotik Gateway in order to have the login page working in HTTPS.
Anyway if you don't want to spend money I suggest you to try in your lab to load a self made certificate in order to understand how SSL works but in this case you will probably have an SSL warning.

Best regards