Captive Portal with a purchased certificate

Konfiguration of the Captive-Portals

Last adaptation to the version: 11.8.7

New:

Article updated
English translation
Added rule for HTTPS with SLL interception

Previous versions: -

Server settings

Server Settings - FQDN & DNS Server

Menü → Network →Server settings Reiter Server settings

Customize Firewall Name

The firewall name should be defined as FQDN. (In the example portal.anyideas.de)
This is necessary so that later the resolution of the landing page of the captive portal is compatible with the certificate.

Firewall
Firewallname	portal.anyideas.de	FQDN compliant firewall name
Entering the DNS server The localhost (here 127.0.0.1) is entered as the primary name server. In the past, 'google-public-dns-a.google.com' has proven itself as a secondary name server with its fast response time and high availability. DNS server
Primary name server	127.0.0.1	Localhost
Secondary name server	8.8.8.8	Possible name server: google-public-dns-a.google.com

Importing certificates

Since the landing page of the captive portal is a HTTPS website, the next step is to provide the required certificate. We strongly recommend to buy a certificate from an official CA (or to use an existing wildcard certificate) to avoid later irritations because of browser warnings.
Basically there are two options:

Grundsätzlich bestehen hier zwei Optionen:

A Certificate for a FQDN
- in this case the common name of the certificate would be portal.anyideas.de
A wildcard certificate
- in which case the common name of the certificate would be *.anyideas.de

In the first step, the CA provided together with the certificate must be imported into the UTM.
Menu Authentication Certificates Area CA Button Import CA
In the first step, the CA provided together with the certificate must be imported into the UTM.
Menu Authentication Certificates Area CA Button Import CA

Import format

Certificates and CAs to be imported into a UTM must be in the format .pem or .p12 (pkcs12).

Certificates can be converted with the tool openssl - available for all common platforms (part of Linux, call via console) - and the following commands:

Certificate	Command
X509 to PEM	openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem
DER to PEM	openssl x509 -inform der -in certificate.cer -out certificate.pem
P7B to PEM	openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

Error message during import

During import, the error message "The certificate format is not supported..." may appear.
Password protected certificates in pkcs12 format (.p12 , .pfx , .pkcs12) in conjunction with older ciphers can trigger this error.

Import is usually possible if in the tab General notempty

New as of v12.5.1

the option Support legacy cryptographic algorithms On is enabled. notempty

Requires a This will interrupt all connections (incl. VPN connections) to the UTM!

Options for importing certificates:

Convert certificate to *.pem
Certificates can be converted with the tool openssl - available for all common platforms (part of Linux, call via console) - and the following commands:
openssl pkcs12 -in Zertifikat.pfx -out Zertifikat.pem -nodes
Alternatively with the help of an online service
CLI commands to allow certificate import with obsolete ciphers in the UTM
extc global set variable GLOB_ENABLE_SSL_LEGACY value 1
appmgmt config application "securepoint_firewall"
appmgmt config application "fwserver"
system reboot
notempty
Requires a This will interrupt all connections (incl. VPN connections) to the UTM!

cli> extc global get variable GLOB_ENABLE_SSL_LEGACY 
variable              |value
----------------------+-----
GLOB_ENABLE_SSL_LEGACY|0  

cli> extc global set variable GLOB_ENABLE_SSL_LEGACY value 1
OK

cli> extc global get variable GLOB_ENABLE_SSL_LEGACY
variable              |value
----------------------+-----
GLOB_ENABLE_SSL_LEGACY|1

cli> appmgmt config application "securepoint_firewall"
cli> appmgmt config application "fwserver"

Captive Portal User

Captive Portal users must authenticate themselves and agree to the terms of use when they connect to an appropriately configured network. Only then is the network access released - according to the port filter rules.	User UTMuser@firewall.name.fqdnAuthentication
notempty Firewall users who are members of a group with the permission Userinterface Adminstrator On ( Authentication User Area Groups Button can access the Captive Portal user management via the User-Interface (in the default port 443)

Add user

Captive Portal users can be managed by:

Administrators
Users who are members of a group with the permission Userinterface Administrator .
They reach the user administration via the user interface.

Caption	Value	Description	Add Captive Portal User UTMuser@firewall.name.fqdnAuthenticationUser Print and save
Login name:	user-DGS-6UM	Randomly generated login name. Once generated, login names cannot be changed after saving.
Password:	IH3-FF5-BSP-APZ-USC	Randomly generated password The login name and password can be regenerated with the button. Once saved, passwords cannot be displayed again.
Expiry date:	yyyy-mm-dd hh:mm:ss	Limits the validity of the credentials
Expiry date:	/ New as of v12.2.2	These buttons can be used to shorten (-) or extend (+) the expiry date by 24 hours from the current time
Print and save		Saves and closes the dialogue, creates an html page with the username and password and opens the print dialogue
		Saves the information and closes the dialogue. The password can then no longer be displayed. However, a new password can be created at any time .
		Closes the dialogue without saving changes.

UTM/APP/HTTP Proxy-Captive Portal extern-lokal2