topic Re: Captive Portal for more than one security zone in General Topics

Captive Portal for more than one security zone

_slv_ — Sat, 06 Apr 2013 09:34:28 GMT

Few months ago I sucessfully configured CaptivePortal (in redirect mode) with SSL certyficate from StartSSL for one of my local network connected to PA200.

Now I need to do the same for another local network, but on PAN I can only make one CP configuration, with one SSL cert.

I have SSL cert for host cp1.mydomain.com. This dns entry pointing to 192.168.110.1 that is a gateway for network where I have CP.

Until now evertything is clear for me, but when I enable CP to another network (with 192.168.30.1 gateway) its working too - why?

My networks are in separate security zones without policy that could enable traffic beetwen this zones/network.

So I tryed to put cp1.mydomain.com to one of my public IP (not used at the moment) but reachable from PAN. I changed entry in DNS, but its broken CP because users cant get CP webpage because this public IP isnt reachable without authenticate.

My CP looks like:

and Security Policy:

and hear I'm not sure that this configuration is optimal and made according to best practices.

I'd like to block p2p traffic, let DNS and ping and let all authenticated users access to internet.

I forgot .. I have one samll issue with SSL cert. Evertytime I started browser (ie. IE7) I get warning that browser has't information about cert issuer. Similar problem is described

but I have cert from StartSSL. Where I can find IPs that I need to add to be reachable without CP policy?

I searched this community, read How to Configure Captive Portal.pdf but I cant find information about CP for two networks.

Please help me in such configuration.

With regards

Slawek

Re: Captive Portal for more than one security zone

_slv_ — Tue, 09 Apr 2013 12:18:54 GMT

Noone has any sugegstion for me?

Re: Captive Portal for more than one security zone

HITSSEC — Tue, 09 Apr 2013 15:41:55 GMT

Does your interface allow https Response pages?

Phil

Re: Captive Portal for more than one security zone

_slv_ — Tue, 09 Apr 2013 16:35:22 GMT

yes, I have exactly the same config.

In my opinion cert warning is because web browser cant verify ssl cert issuer. But how (or where) to find list of server that I need to exclude from CP roule - I don't know.

Re: Captive Portal for more than one security zone

HITSSEC — Tue, 09 Apr 2013 16:51:55 GMT

We use a cert issued by a public certificate authority. Certificate revocation checks to local domains could be the issue? If you use a commercial cert then just watch the log traffic for the CRL check and add that as an allowed destination.

Re: Captive Portal for more than one security zone

_slv_ — Thu, 11 Apr 2013 07:44:37 GMT

I using public certificate too. I'm using free StartSSL certs.

I tryed to find such informations from logs but I havnt such connections in log from this particular zone to Untrust zone.

I catched interesting screen shoot:

As you can see, IE is trying to connect to 192.168.110.1 - this is because cp1.mydomain.com is pointing to it. This computer has 192.168.3.38 IP at the moment, and is UNABLE to communicate to 192.168.110.1 (for security reason, 192.168.3.x must only have access to untrust or 192.168.3.1 because it's a getaway from PAN).

Re: Captive Portal for more than one security zone

HITSSEC — Fri, 12 Apr 2013 01:32:08 GMT

slv

The web browser may not have a root cert. Check like this:

The other issue may be the certification revocation check.

Phil

Re: Captive Portal for more than one security zone

_slv_ — Fri, 12 Apr 2013 06:43:11 GMT

Hitssec

I know that one way is to have root cert in local Cert store, but he second way is to give to browser information abaout intermidiate cert StartSSL™ Certificates & Public Key Infrastructure

Also IE uses windows cert store, but FF uses their own store so I prefer to make universal solution ("glue" cert with intermidiate cert).

I havent ability to put root cert into personal computer of my students.

On Windows IE6 complaining about ability to verify root cer, on the same computer FF 20.1 doesnt. Latest (but maybe not the last) FF on Linux complaining too.

The same complaining is from 192.168.3.x as from 192.168.110.x network

Re: Captive Portal for more than one security zone

HITSSEC — Sat, 13 Apr 2013 14:42:43 GMT

Slv,

Since I can't read the warning message you posted (I only read english - sorry) there are only three possible causes:

Wrong cert being used

Private cert - not being able to validate

Public cert - not being able to validate

Public certs should be able to be validated (may need to select optional updates via windows update to get the root certs on the client. The outher option is to tell them to accept the cert warning.

Sorry if I can't help you more but I think you are on the right path. You can always put a call into support and they can assist.

Phil

Re: Captive Portal for more than one security zone

_slv_ — Mon, 15 Apr 2013 07:43:18 GMT

You where right, problem with this warning is connected to root cert. After updating root cert store with latest package IE doenst show warning message.

Lets back to main question.

- on which one IP I should setup Captive Portal, from which zone? I need to use CP for 3 zones.

- do my security policy are correct?

With regards

Slawek

Re: Captive Portal for more than one security zone

HITSSEC — Mon, 15 Apr 2013 19:29:55 GMT

You can apply Captive portal on any and all zones that you wish. Captive config says go to the redirect host identified.

The Captive portal rules determine what traffic patterns will trigger a Captive portal redirection. See the below image:

I hope this helps. Within the rule set you can exclude traffic patterns from being captive portal redirected.

Phil