Captive Portal

Create an ACME certificate

To use ACME certificates (Let's Encrypt) the following steps are required:

• Activate ACME service
• Generate ACME Challenge Token on spDyn
• Create certificate
• Add SAN with spDyn hostname and token
• Create certificate

S

---

---

Authentication Certificates  Area ACME

Caption	Value	Description	Certificates UTMuser@firewall.name.fqdnAuthentifizierung
Activated:	Yes	Enables the use of ACME certificates. For more information see below Activate ACME service.
Use system-wide nameservers for ACME challenges:	Yes	If the addresses for the servers for the extension of the ACME challenges cannot be resolved via the system-wide nameserver (e.g. due to configured relay or foreward zones), alternative nameservers can be entered by deactivating No.
Nameserver for ACME challenges: Can be used for ACME challenges when system-wide nameserver is disabled	» ✕85.209.185.50» ✕85.209.185.51» ✕2a09:9c40:1:53::1» ✕2a09:9c40:1:53::2	Here you can enter the nameservers for the ACME-Challenges.

Activate ACME service

Activate ACME service

Um ACME Zertifikate nutzen zu können, muss dies unter Authentication Certificate  Area ACME Aktiviert: Ja aktiviert werden.

• Sobald der Dienst aktiviert wurde und dies mit gespeichert wurde, wird der Link zu den Nutzungsbedingungen geladen und es lassen sich die Einstellungen aufrufen.
• With the button Activate Yes and the storage of an Email address for notifications by the ACME service provider (here: Let's Encrypt), the information can be saved with
• A dialog will appear with a link to the Terms of Use, which must be accepted Yes.

ACME service On Enable service

Sobald der Dienst aktiviert wurde und dies mit gespeichert wurde, wird der Link zu den Nutzungsbedingungen geladen und es lassen sich die Einstellungen aufrufen.

UTMuser@firewall.name.fqdnAuthentifizierungCertificates

With the button Activate Yes and the storage of an Email address for notifications by the ACME service provider (here: Let's Encrypt), the information can be saved with

A dialog will appear with a link to the Terms of Use, which must be accepted Yes.

A registration with the ACME service provider is then performed

Successful registration is indicated with the status OK.

Generate token

Generate token

spDYN To generate the certificates, the ACME token must first be generated in the spDYN portal.
Within the spDYN portal, the corresponding host must be opened.

• Call up spDyn Host
• Select the ACME Challenge Token from the Token drop-down menu.
• Generate token
  notempty
  The token is displayed once during generation and cannot be displayed again.
  
  The token should be noted and stored safely.

Call up spDyn Host

Select the ACME Challenge Token from the Token drop-down menu.

Generate token
The token is displayed once during generation and cannot be displayed again.
The token should be noted and stored safely.

Renewal of ACME certificates

Renewal of ACME certificates

notempty

New as of 12.4

The renewal of the ACME/Let's Encrypt certificates takes place via the nameservers used, which are configured under Authentication Certificates  Area ACME (see above)

ACME Certificates

ACME Certificates

After completing the previous steps, the actual certificate can now be generated. A click on Add ACME certificate in the Certificates tab opens the corresponding dialog.

Caption	Value	Description	Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates Add ACME certificate
Add ACME certificate UTM Dialog Authentication Certificates  Area Certificates  Button Add ACME certificate
Name	acme_ttt-Point	Name to identify the certificate
Key length:	2048	Key length of the certificate. Possible values:
ACME Account	Let's Encrypt	ACME account which should be used
Subject Alternative Name configure with Add SAN Add Subject Alternative Name
Subject Alternative Name	» ✕ttt-point.spdns.org	The Subject Alternative Name ('SAN) is stored in the certificate and corresponds to the called URL	Add Subject Alternative Name
	» ✕*.ttt-point.spdns.org	Wildcard SANs can also be used. Wildcard certificates are strongly recommended for use with a captive portal If a forward zone is required for the captive portal in the nameserver and an A record is then entered for it, this is no longer resolved in the public DNS. Verification and renewal of an ACME certificate with this name will then fail.
Alias	ttt-point.spdns.org	If the SAN is a spDYN hostname it is automatically taken on as alias. (Also for wildcard domains without * )
Token	•••••••••••••	The token from the spDYN portal (see above) proves to the ACME service that you are allowed to dispose of the hostname. displays the token. When inserting the token from the clipboard it can happen that there are blanks before or after the actual token. These must be removed
Check configuration Check configuration
Status	Not yet checked	Before the actual generation of the certificate, the configuration must first be checked. This is done by clicking on the Check configuration button.	Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates
	initialize Initializes	The check can take several minutes. During this process, the dialog is updated regularly.
	Valid	If the check is successful, the status Valid is displayed.
	DNS error	Possible causes: wrong token DNS resolution disturbed zone forwarding configured in DNS local DNS zone configured in DNS If there is a zone in the nameserver of the UTM for a domain that also uses the ACME certificate, the DNS resolution fails. Solution: Create a CNAME record for this domain. • Search for the zone under Menu/Applications/Nameserver/Zones • click on Edit • Click on +Add Entry in the window • enter a suitable name under Name:' • select CNAME under Type: • enter the domain under Value:
Configure Subject Alternative Name for an external DNS zone with Add SAN Add SAN for external DNS zone
Subject Alternative Name	ttt-point.anyideas.org	The Subject Alternative Name (SAN) from the external DNS zone.
Alias	ttt-point.spdns.org	The alias must also be the spDYN name for the external DNS.
DNS-Provider	Basically, an additional CNAME record with the prefix _acme-challenge and the subsequent host name must be created at the DNS provider hosting the external zone (here: ttt-point.anyideas.org). _acme-challenge.ttt-point.spdns.org. (With "." at the end!) An example excerpt from a Zonefile for the configuration of the two hostnames mx.ttt-point.de and exchange.ttt-point.de looks like this: _acme-challenge.mx.ttt-point.anyideas.org. IN CNAME _acme-challenge.ttt-point.spdns.org. _acme-challenge.exchange.ttt-point.anyideas.org. IN CNAME _acme-challenge.ttt-point.spdns.org. The hostname must be resolvable in the public DNS. Certificate creation for .local, .lan, etc. zones is not possible. The UTM must be able to resolve the host name correctly via external nameservers. notempty If the internal and the external/public domain are identical, the zone must also be delegated to the internal DNS.
Check configuration	Additional SANs can be added and checked as long as the Save button has not been pressed.		Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates
Status	Valid	Once all the required SANs have been successfully checked, the certificate can be saved.	Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates
	notempty Once the certificate has been saved, no more changes can be made. Only the alias and the token can be changed for existing SANs. If additional or different SANs are required, a new certificate must be created and the existing one has to be revoked.
Creation of the ACME certificate Creation of the ACME certificate
	If the previous steps have been completed successfully, the actual process for validating and generating the certificate is triggered by clicking Save. This process may take some time. To update the status, the dialog must be reloaded manually.		Certificates UTMuser@firewall.name.fqdnAuthentifizierungCertificates
Status values Status values
The following status values can occur
Status	Description	Note
Valid	The ACME certificate is valid
Not yet verified	The ACME certificate still needs to be verified
Internal error	An internal error has occurred	Possible causes: Broken hardware Software error Configuration error
Connection error	No connection possible / present	Check the connection settings
Invalid	The ACME certificate is invalid and cannot be used
DNS error	A DNS error has occurred	Possible causes: wrong token DNS resolution disrupted zone forwarding configured in DNS local DNS zone configured in DNS If there is a zone in the nameserver of the UTM for a domain that also uses the ACME certificate, the DNS resolution fails. Solution: Create a CNAME record for this domain. • Search for the zone under Menu/Applications/Nameserver/Zones • click on Edit • Click on +Add Entry in the window • enter a suitable name under Name:' • select CNAME under Type: • enter the domain under Value:
Banned	The ACME certificate has been revoked	Either it has been manually revoked, or it has lost its validity. For example, the ACME certificate expired and was not renewed.
Initializing	The verification of the ACME certificate is initiated	This can take several minutes. The status is updated regularly.
Deferred	The verification of the ACME certificate is postponed	Refreshing the status will take some time, since the limit of requests was already reached
Initialized	The ACME certificate is being verified	The verification of the ACME certificate is initiated

---

Purchased certificate

Alternatively, a purchased certificate can also be imported

Grundsätzlich bestehen hier zwei Optionen:

• A Certificate for a FQDN
  • in this case the common name of the certificate would be portal.anyideas.de
• A wildcard certificate
  • in which case the common name of the certificate would be *.anyideas.de

1. In the first step, the CA provided together with the certificate must be imported into the UTM.
   Menu Authentication Certificates  Area CA Button Import CA

2. In the first step, the CA provided together with the certificate must be imported into the UTM.
   Menu Authentication Certificates  Area CA Button Import CA

---

Import format

Certificates and CAs to be imported into a UTM must be in the format .pem or .p12 (pkcs12).

Certificates can be converted with the tool openssl - available for all common platforms (part of Linux, call via console) - and the following commands:

Certificate	Command
X509 to PEM	openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem
DER to PEM	openssl x509 -inform der -in certificate.cer -out certificate.pem
P7B to PEM	openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

Error message during import

During import, the error message "The certificate format is not supported..." may appear.
Password protected certificates in pkcs12 format (.p12 , .pfx , .pkcs12) in conjunction with older ciphers can trigger this error.

Import is usually possible if in the tab General notempty

New as of v12.5.1

the option Support legacy cryptographic algorithms On is enabled. notempty

Requires a This will interrupt all connections (incl. VPN connections) to the UTM!

Options for importing certificates:

• Convert certificate to *.pem
  Certificates can be converted with the tool openssl - available for all common platforms (part of Linux, call via console) - and the following commands:
  openssl pkcs12 -in Zertifikat.pfx -out Zertifikat.pem -nodes
  Alternatively with the help of an online service
  
  
• CLI commands to allow certificate import with obsolete ciphers in the UTM
  extc global set variable GLOB_ENABLE_SSL_LEGACY value 1
  appmgmt config application "securepoint_firewall"
  appmgmt config application "fwserver"
  system reboot
  notempty
  Requires a This will interrupt all connections (incl. VPN connections) to the UTM!

cli> extc global get variable GLOB_ENABLE_SSL_LEGACY 
variable              |value
----------------------+-----
GLOB_ENABLE_SSL_LEGACY|0  

cli> extc global set variable GLOB_ENABLE_SSL_LEGACY value 1
OK

cli> extc global get variable GLOB_ENABLE_SSL_LEGACY
variable              |value
----------------------+-----
GLOB_ENABLE_SSL_LEGACY|1

cli> appmgmt config application "securepoint_firewall"
cli> appmgmt config application "fwserver"

---

Local certificate

The UTM can also provide its own certificate

• At Authentication Certificates  Area CA a CA must be created
• At Authentication Certificates  Area Certificates a Server- certificate must be created.
  A separate certificate should be created for the captive portal so that it can be revoked if necessary without affecting other connections or applications.
    

How to create a certificate on the UTM can be read here.

---

Since this certificate is created by its own CA, it cannot be checked for authenticity by a browser.
The user receives a warning message in which the trustworthiness must be confirmed once.

---

---

Captive Portal User

Captive Portal User

Captive Portal users must authenticate themselves and agree to the terms of use when they connect to an appropriately configured network. Only then is the network access released - according to the port filter rules.	User UTMuser@firewall.name.fqdnAuthentication
notempty Firewall users who are members of a group with the permission Userinterface Adminstrator On ( Authentication User  Area Groups Button can access the Captive Portal user management via the User-Interface (in the default port 443)

Add user

Add user

Captive Portal users can be managed by:

• Administrators
• Users who are members of a group with the permission Userinterface Administrator .
  They reach the user administration via the user interface.

Caption	Value	Description	Add Captive Portal User UTMuser@firewall.name.fqdnAuthenticationUser Print and save
Login name:	user-DGS-6UM	Randomly generated login name. Once generated, login names cannot be changed after saving.
Password:	IH3-FF5-BSP-APZ-USC	Randomly generated password The login name and password can be regenerated with the button. Once saved, passwords cannot be displayed again.
Expiry date:	yyyy-mm-dd hh:mm:ss	Limits the validity of the credentials
	/ New as of v12.2.2	These buttons can be used to shorten (-) or extend (+) the expiry date by 24 hours from the current time
Print and save		Saves and closes the dialogue, creates an html page with the username and password and opens the print dialogue
		Saves the information and closes the dialogue. The password can then no longer be displayed. However, a new password can be created at any time .
		Closes the dialogue without saving changes.

Implied rules

Implied rules: UTMuser@firewall.name.fqdnFirewall Firewall - Implied rules Menu Firewall Implied rules Group Ein Captive Portal
At the item Captive Portal in the menu Implied Rules you have to make sure that both rules are activated.
The switch CaptivePortalPage opens an incoming port on the corresponding interface of the firewall, which is intended for the Captive Portal to be able to display the landing page.
The switch CaptivePortalRedirection is, as the name suggests, responsible for the corresponding redirection of the traffic to the port mentioned above.

Firewall - Portfilter IP A rule is required in the port filter to allow Captive Portal users to access the Internet.
Alternatively, an autogenerated any rule can also be created in the Captive Portal settings using the button in the General tab.

Source::	captive_portal
Destination::	internet
Service:	default-internet
[–] NAT
Type::	HideNAT
Network object:	external-interface

Save

Update Rules

Settings in the Captive Portal

Menu Applications Captive Portal

General

Caption	Value	Description	Captive Portal UTMuser@firewall.name.fqdn Tab general
Captive Portal:	On	This switch enables or disables the captive portal
Implied rules::		Shows green when the Implied rules of the captive portal are activated. If yellow, these rules are not used.
Port filter rule:		Shows green if port filter rules exist for the captive portal.
		With the + button an autogenerated any rule can be created. Better, but more elaborate, are rules that only release a selected network   .
Portalpage Hostname:	portal.anyideas.de	In the case of a certificate for a FQDN, this should correspond to the Common Name of the certificate. In the case of a wildcard certificate, the host name must correspond to the response to a DNS query of the client.
Certificate	ttt-Point (ACME)	Please select the certificate mentioned above.
Nodes:	× wlan-0-network (wlan0)	In this field please select the network objects that represent the networks that should be redirected to the landing page.
Advanced Advanced
Authentication	On	If desired, an authentication can be enforced here.	Advanced tab
Portalpage Port:	8085	A port must be defined for the captive portal, but this can be changed.
Maximum connection time (seconds):	1800	The time frame in which a registration in the captive portal is valid. If the default time has expired, web access to the Internet is blocked and a reconfirmation of the terms of use (and, if desired, authentication) is required.
|| ||
Designs Designs
The captive portal can and must be customised. In any case, the terms of use must be specified. A design can be created for each language. It is sufficient to enter the details that have been changed for the fallback design. The fallback design must contain all the following information Call with the edit button or Add design			Tab designs
Branding
Call with the edit button or Add design			Tab Branding
Terms of use
Terms of use:	Nutzungsbedingungen/Terms of Use	Here own terms of use have to be listed. For liability reasons we can not provide them. For the same reasons we recommend to consult a lawyer.	Tab Terms of use
Translations
Translations for the labels. If a translation is missing, the value of the default language is used.			Tab Translations

Nameserver

Menu Applications Nameserver  Area Zones
If the firewall name cannot be changed to a FQDN, for example because the UTM is used as outgoing mail relay, the name server of the firewall must also be used: In this example, it is assumed that the firewall for the network of the captive portal is the responsible DHCP server and is set up as primary DNS server.

Add Forward Zone

Button Add Forward Zone

The zone name to be assigned corresponds to the landing page of the captive portal.
In the example portal.anyideas.de.
localhost is used as the host name of the name server.
The IP address field can be left empty.

UTMuser@firewall.name.fqdnNameserver

Step 1
Zone Name portal.anyideas.de

UTMuser@firewall.name.fqdnNameserver

Step 2
Nameserver Hostname loacalhost

UTMuser@firewall.name.fqdnNameserver

Step 3
IP Address can be left empty

---

Edit Forward Zone

Nameserver - A-Record with IP address The following entry is added to the zone just created → Button Add entry  :

Caption	Value	Description
Name::	portal.anyideas.de.	FQDN of the firewall Mit . Punkt am Ende
Type::	A	A-Record
Value:	192.168.100.1	IP of the interface via which the captive portal is to be reached (here wlan0 )

Transparent mode