Jump to:navigation, search
Wiki

Captive Portal with a purchased certificate

From Securepoint Wiki








































De.png
En.png
Fr.png





notempty
This article refers to a version that is no longer current!

notempty
The article for the latest version is here

notempty
There is already a newer version of this article, but it refers to a Reseller-Preview







































Konfiguration of the Captive-Portals

Last adaptation to the version: 11.8.7


New:

  • Article updated
  • English translation
  • Added rule for HTTPS with SLL interception

Previous versions: -

Server settings

Server Settings - FQDN & DNS Server

Menü → Network →Server settings Reiter Server settings

Customize Firewall Name

The firewall name should be defined as FQDN. (In the example portal.anyideas.de)
This is necessary so that later the resolution of the landing page of the captive portal is compatible with the certificate.

Firewall
Firewallname portal.anyideas.de FQDN compliant firewall name

Entering the DNS server

The localhost (here 127.0.0.1) is entered as the primary name server. In the past, 'google-public-dns-a.google.com' has proven itself as a secondary name server with its fast response time and high availability.

DNS server
Primary name server 127.0.0.1 Localhost
Secondary name server 8.8.8.8 Possible name server: google-public-dns-a.google.com


Importing certificates

Since the landing page of the captive portal is a HTTPS website, the next step is to provide the required certificate. We strongly recommend to buy a certificate from an official CA (or to use an existing wildcard certificate) to avoid later irritations because of browser warnings.
Basically there are two options:

  • A Certificate for a FQDN
    • in this case the common name of the certificate would be portal.anyideas.de
  • A wildcard certificate
    • in which case the common name of the certificate would be *.anyideas.de


  1. In the first step, the CA provided together with the certificate must be imported into the UTM.
    Menu → Authentication →Certificates Tab CA Button Import CA

  2. In the first step, the CA provided together with the certificate must be imported into the UTM.
    Menu → Authentication →Certificates Tab CA Button Import CA

The CA and the certificate must be in .pem format !

Certificates can be converted with the tool openssl - available for all common platforms (part of Linux, call via console) - and the following commands:

Certificate Command
X509 to PEM openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem
DER to PEM openssl x509 -inform der -in certificate.cer -out certificate.pem
P7B to PEM openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
PFX to PEM openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
















































































Create group if necessary

User - Create group & assign rights

Menü → Authentication →UserTab Groups Button add group Tab Authorizations

If users are to be authenticated at the captive portal, the next step is to create a group with the required permission HTTP-Proxy On.

This explains how to create a user group.

If desired and with an existing integration in an Active Directory], the group can also be mapped to a group existing in AD or to be generated.


Implicit rules

Firewall - implicit rules

Menu → Firewall →Implicit rules Group Ein Captive Portal
At the item Captive Portal in the menu Implicit Rules you have to make sure that both rules are activated.
The switch CaptivePortalPage opens an incoming port on the corresponding interface of the firewall, which is intended for the Captive Portal to be able to display the landing page.
The switch CaptivePortalRedirection is, as the name suggests, responsible for the corresponding redirection of the traffic to the port mentioned above.

Settings in the Captive Portal

Menu → Applications →HTTP-Proxy Tab Captive Portal

HTTP-Proxy - Captive Portal
Caption Value Description
Captive Portal: On This switch enables or disables the captive portal
Authentication On Certificate
Certificate portal.anyideas.de Please select the certificate mentioned above.
Maximum connection time (seconds): 1800Link= The time frame in which a registration in the captive portal is valid.
If the default time has expired, web access to the Internet is blocked and a reconfirmation of the terms of use (and, if desired, authentication) is required.
Portalpage Hostname: portal.anyideas.de In the case of a certificate for an FQDN, this should correspond to the Common Name of the certificate.
In the case of a wildcard certificate, the host name must correspond to the response to a DNS query of the client.
Portalpage Port: 8085Link= A port must be defined for the captive portal, but this can be changed.
Nodes: × wlan-0-network (wlan0)  In this field please select the network objects that represent the networks that should be redirected to the landing page.
Terms of use: Nutzungsbedingungen/Terms of Use Here own terms of use have to be listed.
For liability reasons we can not provide them. For the same reasons we recommend to consult a lawyer.


Nameserver

Menu → Applications →Nameserver Tab Zones
If the firewall name cannot be changed to an FQDN, for example because the UTM is used as outgoing mail relay, the name server of the firewall must also be used: In this example, it is assumed that the firewall for the network of the captive portal is the responsible DHCP server and is set up as primary DNS server.

Add Forward Zone

Button Add Forward Zone

The zone name to be assigned corresponds to the FQDN of the firewall.
In the example portal.anyideas.de.
localhost is used as the host name of the name server.
The IP address field can be left empty.

UTM v11.8.7 Anwendungen Nameserver Forwardzone1-en.png

Step 1
Zone Name portal.anyideas.de
UTM v11.8.7 Anwendungen Nameserver Forwardzone2-en.png

Step 2
Nameserver Hostname loacalhost
UTM v11.8.7 Anwendungen Nameserver Forwardzone3-en.png
Step 3
IP Address can be left empty














Edit Forward Zone

Nameserver - A-Record with IP address

The following entry is added to the zone just created → Button Add entry  :

Caption Value Description
Name: portal.anyideas.de FQDN of the firewall
Type: A A-Record
Value 192.168.100.1 IP of the interface (here wlan0 )


Transparent mode

HTTP Proxy - Transparent Proxy

Menu → Applications →HTTP-Proxy Tab Transparent mode
To access the Internet via the required HTTP proxy, at least one rule is necessary (HTTP), better two (additionally HTTPS)

Caption Value
Button Add transparent rule
Protocol: HTTP
Type: include
Source: wlan-0-network
Destination: internet
Caption Value
Save

To access https pages, in the tab SSL Interception SSL Interception On must be activated. (Requires a CA certificate of the UTM)
Protocol: HTTPS
Type: include
Source: wlan-0-network
Destination: internet


Portfilter

Firewall - Portfilter IP

Two additional rules are required in the port filter:

Rule 1
Source:
captive_portal
Destination:
internet
Service
default-internet
[–] NAT
Type:
HideNAT
Network object
external-interface

Add


Rule 2
Source:
wlan-0-network
Destination:
wlan-interface
Service
proxy

Add and close

Update Rules


Webfilter

Finally, the web filter should be configured, since surfing through the proxy is possible without rules in the port filter access to e.g. internal web servers:

with authentication

  1. → Firewall →PortfilterTab Network objects Button Add group
    Create a group (e.g. grp_CP_webfilter) that contains the wlan-0-network network object
  2. → Applications →Webfilter Button Add profile
  3. Network or user group: grp_CP_webfilter Select the newly created group Save
  4. Edit newly generated rule record
    1. webserver.anyideas.de URL of the (internal) server to which access via the captive portal should be blocked Add URL
    2. Leave action on block

without authentication

  1. → Applications →Webfilter Button Add profile
  2. Select the user group
  3. Edit newly generated rule record
    1. webserver.anyideas.de URL of the (internal) server to which access via the captive portal should be blocked Add URL
    2. Leave action on block


Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/HTTP_Proxy-Captive_Portal-extern_v11.8.7&oldid=79492"