Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Newbie
    Join Date
    Apr 2017
    Posts
    9

    Question Require certificate. Prohibit login when not detected | Not Working

    Hello,

    I am currently struggling with the Captive Portal and the "Require certificate. Prohibit login when not detected." options.

    Clients are successfully redirected to the Captive Portal page (usually!) and they can click on the continue link without any mention of not having the untangle certificate installed.

    The certificate has been regenerated and includes the IP addresses of the interfaces that clients will connect to.

    Here are some screenshots of how things are setup.

    • CA Certificate

    Screen Shot 2017-04-18 at 17.48.35.png

    • No certificate errors

    Screen Shot 2017-04-18 at 17.48.12.png

    • Option selected in Captive Portal app

    Screen Shot 2017-04-18 at 17.47.37.png

    • SSL Inspector settings

    Screen Shot 2017-04-18 at 17.57.24.png

    I have tried using an Android phone, a Mac and a Windows 10 machine, at no time is there any mention of not having the certificate installed and when the "Continue" button is clicked, all devices can access the internet unimpeded, but of course they get certificate errors when visiting secure sites as one would expect as the certificate is not installed.

    I am sure it something I am missing and not the fault of Untangle!

    I appreciate any hep in resolving this issue.

    Thanks

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,132

    Default

    Interesting. Your config looks correct.

    What version? Do you see a warning about the cert missing or nothing at all on the capture page?
    Are you using a custom capture page?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Apr 2017
    Posts
    9

    Default

    Hi, thanks for your help.

    Current version is 12.2.1

    On the capture page there is no mention, nothing whatsoever about the certificate..

    I am using the 'Basic message' option for the capture page.

    The only thing I have edited in relation to the capture page is the message. I have added some HTML to space the message out nicely, perhaps the added HTML is causing an issue. I will remove it and try again.

  4. #4
    Newbie
    Join Date
    Apr 2017
    Posts
    9

    Default

    I just stripped out the HTML from the capture page message and it made no difference.

    One odd thing, 9 times out of 10 the captive portal will do what its supposed to do and redirect to the capture page. On occasions it will allow a client to visit websites without clicking the 'continue' button if the open another tab or a different browser.

    Also, if I visit https://www.amazon.co.uk directly, the capture page does not show at all and the Amazon website will load without issues, and without certificate error.

    I am no expert, but something isn't right!

  5. #5
    Newbie
    Join Date
    Apr 2017
    Posts
    9

    Default

    Maybe its my network topology causing the problem?

    Currently I have Untangle installed in a VM running on a ESXi host.

    My main network is a Unifi network, a USG Pro, a 24 port Unifi switch, and three Unifi Access Points.

    I have two VLANS on the Unifi network, VLAN 1 and VLAN 200

    VLAN 1 is my management LAN and is 10.0.1.1/24
    VLAN 200 is for the students I have staying in my accommodation and its on 192.168.200.1/24

    Untangles External Interface is on 10.0.1.34 (assigned by the USG)
    Untangles Internal Interface is on 192.168.200.1 (this is the VLAN 200 tagged interface)

    On the ESXi host, the port group that is assigned to Untangles Internal Interface has a VLAN tag of 4095 to allow the VLAN tag all the way to the VM, in this case, Untangle.

    I have created a Tagged VLAN Interface on Untangles Internal Interface with a VLAN tag of 200.

    In the Unifi controller I have assigned the VLAN 200 tag to both the SSID, and also the switch ports that Untangles Internal Interface connects to, the switch ports that the AP's are connected to have 'All' networks enabled on them.

    As far as I can tell the VLAN side of things are working just fine. Clients that connect to the SSID with the VLAN tag of 200 are getting an IP from Untangles DHCP server, and any client that is connected to a switch port with the VLAN 200 tag is also assigned an IP by Untangle.

    Here is an output of a traceroute from a device connected via ethernet on a VLAN 200 tagged switch port.

    Screen Shot 2017-04-18 at 20.11.22.png

    I would have expected to see the IP of Untangles External Interface (10.0.1.34) instead of the USG's IP (10.0.1.1) at route number 2.

    Perhaps some of my traffic is bypassing Untangle and using the USG instead?

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,132

    Default

    are you seeing the capture page?

    the certificate detection is all within that page.
    it tries to load an https image using the cert, if it fails to load that image then the cert isn't installed.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Newbie
    Join Date
    Apr 2017
    Posts
    9

    Default

    Quote Originally Posted by dmorris View Post
    are you seeing the capture page?

    the certificate detection is all within that page.
    it tries to load an https image using the cert, if it fails to load that image then the cert isn't installed.
    Yes, I am seeing the capture page.

    This is what it looks like.

    Screen Shot 2017-04-19 at 13.47.27.png

    I have just setup a fresh install of Untangle on a spare box I have, no ESXi involved.

    Generated new CA Certificate and new Server certificate to match the interfaces.

    Still no warnings about a certificate being installed.

    This is how the certificates have been configured.

    • CA Certificte

    Screen Shot 2017-04-19 at 13.53.10.png


    • Server Certificate

    Screen Shot 2017-04-19 at 13.53.25.png

    Screen Shot 2017-04-19 at 13.57.24.png


    With the CA Certificate, does the Common Name need to also include the External and Internal interface IP addresses, like the server certificate does, or just the host name?

    Thanks again for your help with this

  8. #8
    Newbie
    Join Date
    Apr 2017
    Posts
    9

    Default

    Any ideas with this anyone?

    This feature is pretty much required to work for the way I need to use Untangle.

  9. #9
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,132

    Default

    I get the same thing with that page. I opened a ticket to see what the engineers think.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Newbie
    Join Date
    Apr 2017
    Posts
    9

    Default

    Well thats kind of a relief!

    I thought I was doing something wrong!

    Hopefully it will be an easy fix.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2