Certificate for 3Com WiFi Switch, local internal network


#1

Hi
I am very unskilled.
I have a 3Com WX1200 WiFi management switch that tells my browser that access is insecure.
I want to install certificates so users do not get that message on their login page.
But this is all on my local network, that goes out to the internet via several firewall routers.
Hence I don’t have a Domain, so what do I do???
Regards Derek


#2

Let’s Encrypt isn’t an option, as it requires a public hostname.

I’m sure it’s just a handful of users who require access to the switch? And they’re probably not novice users too? Isn’t it possible for them just to (permanently) accept the current certificate?


#3

hi @dcj99b

Have a look at this article which discusses Aruba WiFi controllers

Principle is the same

Andrei


#4

Hi
Thanks for that, but this will be a public cafe, some folk only ever come once. And trying to encourage customers, giving them free WiFi spreads our reputation and hence revenue. We need to ensure we don’t upset customers, or make it difficult for them.
But we do have responsibilities, and need to collect customers email addresses for targetted marketing.


#5

Hi Andrei
Thanks for that.
It all looks very complicated. Rather daft I can’t create my own selfsigned certs for internal networks.
I think the main difficulty is the 3Com WX1200 uses https in authorisation.
I was hoping I could find an easy workaround.
So it looks like I will have a look at a job I did about 10 years ago on a linux platform.
I wrote a router program that needed an authorised flag from a database that customers had filled in a form on a http based web server. It was a bit cumbersome at the back office side, but customers didn’t notice much delay.
Regards Derek


#6

How does your setup work? I’ve got the WX1200 manual, but it has a lot of information and personally I’m not that familiar with captive portals for WiFi…

Perhaps you could help me point me in the right direction? Should I look at the “CONFIGURING AAA FOR NETWORK USERS” chapter?

In any case, the fact Let’s Encrypt only issues certificates for public domain names remains. This could of course be remedied by using a (free) domain name. The hostname of your WiFi APs captive portal could point to an internal IP address, that’s no problem. The only thing is: you’d have to use the DNS challenge for validating your domain name with Let’s Encrypt. While that isn’t a problem, in an ideal world you’d want that to be automated. But automated DNS challenges requires an API at the DNS service provider. I’m not sure if there’s a free DNS provider which has such an API.

Edit:
The following could be a problem:

Web — A network user attempts to access a web page over the network. The WX switch intercepts the HTTP or HTTPS request and serves a login Web page to the user.

Intercepting a HTTPS request is hard (if not impossible, unless you’re the NSA) without some kind of error on the users. Android (I assume, according to the location of the content) uses mechanisms to detect captive portals, so that shouldn’t be a problem per se. (Captive portal handling for HTTPS requests.)
But you should keep that in mind if anything doesn’t work like you thought it should.


#7

hi @dcj99b

This can be done fairly easily

Go To GoDaddy and buy a .xyz domain name name
Choose a subdomian (guests.xxx.xyz)

A) You configure your DHCP to point to your WiFI switch as the DNS provider
B) On your DNS point a domain of your choice to the IP of your switch
C) Configure the re-direct to point to your new domain name
D) you can also configure your global DNS to point to an internal IP (screenshot of doing that with CloudFlare is below)

Once all that is done you should be able to obtain a certificate and have a secure captive web portal

Andrei


#8

Hi All
Thanks for the help.
I already have a Dyndns account, so can generate a domain name there.
I will try configuring the 3Com WX1200 to be on that domain and get a certificate for that domain.
I’ll let you know how I get on, but it will be after Easter now as onother project starts this week and that will have to wait.
Thanks again Regards Derek

,


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.