Secure captive portal


#1

Hi guys,

I want to set up a captive portal for my little hotel.What i want to do is allow the client to connect to my portal and then let him access to internet.When the client is connecting he doesn’t have any connection, and i got the ssl error.If i google my website with a allowed computer connected to the web i don’t have problem.What i want to do is redirect the client using my internal https without error, is this possible? or i have to set up a firewall rule to a restricted web area before he can log into the network ?

Thanks a lot.


#2

Could you explain a bit more? I’m not fully sure what kind of error you’re seeing. Are you saying, for example, that if someone tries to go to https://google.com/ they get a certificate error because of your captive portal?


#3

Hi Motoko,

What im trying to explain is when the users go to google he have an error “Invalid cert name” but no if he entered the correct name of the captive portal.My question is how to redirect without error poeples to my https page ?

Users (in my opinion) don’t have to manually enter the web adress of the located captive portal, this is not very professional and correct for an hotel.So i try to find another way, but my knowledge is limited.

Thanks.


#4

Just to check my understanding.

You have a portal for your hotel guests. Do they need to visit there to “login” or “register” before accessing the internet ?

I’m assuming ( please correct me if I am wrong) that you are saying … If they try going direct to google, without “registering” first, they get an error because they are typing in the google address (or anything else ) not your portal address. Is that correct ?


#5

Yes, it’s what i mean.

They can’t acces internet until they log into the captive portal.I use firewall rules with iptables to forward all trafic to the https captive portal.The forwarding works with fine with http but using https they have SSL error with something like this on google “This connection is not private: couldn’t verify the server is google because the certificate come from mycaptiveportal, this is maybe a bad configuration or a hacker network intercept”.


#6

A captive portal is that by definition. The only way to avoid cert errors in this situation is to reject HTTPS traffic and only direct plain HTTP to the portal.


#7

But http is poor… and logins can be stealed… and it’s not possible to redirect https to http.

I have another idea, how i can redirect all traffic (including https) outside the network directly to the hotel website where let’s encrypt is installed ?

The clients have to connect the network without error.


#9

The least awful thing you can do here is:

  • If customers try to visit an HTTP site before signing in, redirect them (HTTP 301 redirect) to HTTPS captive portal server with a real name and thus a real Let’s Encrypt certificate.

  • If customers try to access something else, before signing in, block it. Make sure to unblock this once they’re signed in

Most popular systems today when accessing a WiFi network will use an HTTP connection (not HTTPS) to check whether there is a captive portal, and if so, they’ll offer to show it to the user. Android does this, Windows does this, I believe modern Ubuntu and Fedora and similar popular Linux distributions do it. I expect Macs and so on do it too.

However, I should say that it’s worth considering the location of your hotel as to whether many non-guests would ever use this service. It will be a better experience for guests if they don’t need to use the captive portal to connect, even some quite big hotel chains seem to be moving in that direction in my experience.


#10

Yeah, it’s a good idea redirect all http to https i didn’t do that yet but most of time think, users open google and try to enter something, in fact google is using https… so in this case (https to https) that fail.

Im wondering if is possible to make a short code in javascript for a popup or a plugin with a link of the https portal inside when the client open his browser.


#11

Not to my knowledge. That would require intercepting the traffic, which you can’t for HTTPS connections. However, as @tialaramex said above, most modern systems will detect that there is a captive portal and will prompt the user to open up the portal page to connect.


#12

This is a hard problem adn there is no easy and clean solution. The IETF is working on a standard: https://datatracker.ietf.org/wg/capport/charter/


#13

I think i have a beginning of solution, i tested that on one of the dd-wrt router:

  • Set up a repeater
  • Set up a chilispot to redirect url to my https captive portal

The browser open himself to the page.Of course that no work if client as already https page registered but in this case a new page with the captive portal appear to him.I don’t know what i loose access to my admin dd-wrt after set up the chilispot, i have to test it again.

If you have better idea, im ready to listen.

Thanks


#14

Please use the correct HTTP Code 302 for temporary redirection and not 301 for permanent redirect.


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.