This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
- Community
- RUCKUS Technologies
- RUCKUS Lennar Support
- Community Services
- RTF
- RTF Community
- Australia and New Zealand – English
- Brazil – Português
- China – 简体中文
- France – Français
- Germany – Deutsch
- Hong Kong – 繁體中文
- India – English
- Indonesia – bahasa Indonesia
- Italy – Italiano
- Japan – 日本語
- Korea – 한국어
- Latin America – Español (Latinoamérica)
- Middle East & Africa – English
- Netherlands – Nederlands
- Nordics – English
- North America – English
- Poland – polski
- Russia – Русский
- Singapore, Malaysia, and Philippines – English
- Spain – Español
- Taiwan – 繁體中文
- Thailand – ไทย
- Turkey – Türkçe
- United Kingdom – English
- EOL Products
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- RUCKUS Forums
- EOL Products
- ZD
- Do all Hotspot users see this ?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Do all Hotspot users see this ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2019 12:34 PM
Hello, for those of you who are using the ZoneDirector 'Hotspot Services' feature:
- with my Hotspot setup, when users are redirected to the initial 'Login Page on my third party server - they logon and THEN they are very briefly redirected to:':9998
This throws an SSL error because understandably the client does not have the ZoneDirector root CA cert installed.
Do you guys also see this brief redirect to ':9998 ?
- with my Hotspot setup, when users are redirected to the initial 'Login Page on my third party server - they logon and THEN they are very briefly redirected to:'
This throws an SSL error because understandably the client does not have the ZoneDirector root CA cert installed.
Do you guys also see this brief redirect to '
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2019 12:49 PM
Hi Philip,
This is the expected behavior for Hotspot services.
The Access Point sniffs incoming packets on Hotspot enabled WLAN/SSID and, if the client has not already authenticated, forwards any packets with https port 443 to the Zone director .
The Zone Director replies back with a http 302 re-direct message that is forwarded by the AP to the client browser indicating the location of the Hotspot login page. Since this message is https and is sent from the Zone Director it includes SSL encapsulation using the Zone Directors certificate. If the Zone Director Certificate is not signed by a Well Known Certficate Agency (CA) then the client device web server will warn the user that the page being sent was not verified.
To avoid this SSL error you need to upload a certificate to the Zone Director signed by a Well Known CA (the usual suspects) or upload the Zone Directors public key to all client devices.
I hope this answers your question.
Thanks for choosing Ruckus Networks.
This is the expected behavior for Hotspot services.
The Access Point sniffs incoming packets on Hotspot enabled WLAN/SSID and, if the client has not already authenticated, forwards any packets with https port 443 to the Zone director .
The Zone Director replies back with a http 302 re-direct message that is forwarded by the AP to the client browser indicating the location of the Hotspot login page. Since this message is https and is sent from the Zone Director it includes SSL encapsulation using the Zone Directors certificate. If the Zone Director Certificate is not signed by a Well Known Certficate Agency (CA) then the client device web server will warn the user that the page being sent was not verified.
To avoid this SSL error you need to upload a certificate to the Zone Director signed by a Well Known CA (the usual suspects) or upload the Zone Directors public key to all client devices.
I hope this answers your question.
Thanks for choosing Ruckus Networks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2019 01:47 PM
See also: Certificate error when connecting to Guest or Captive portal WLAN
https://support.ruckuswireless.com/articles/000001638
https://support.ruckuswireless.com/articles/000001638
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2019 04:21 PM
Hello, as per your recommendation, I have installed a 'Well Known Certficate Agency (CA)' signed certificate to resolve this issue.
As per expected behaviour, Hotspot users are redirected to the ZoneDirector, however the redirect still results in an SSL error stating that the URL does not match the CN of the ZD's certificate. This is because the redirect is using the ZoneDirector's IP address and not the fully qualified domain name
This seems contrary to information in the article:
https://support.ruckuswireless.com/articles/000001638:
'...After installing the CA signed SSL certificate on the Zonedirector, a common name(CN) (or) Fully qualified domain name(FQDN) will be associated with the Zonedirector. This requires accessing the web user-interface of the Zonedirector using this FQDN. Alternatively, we can also use the Subjective Alternative Name(SAN:IP/DNS) to access the Zonedirector. However, this depends on the information filled while generating the Certificate request from the Zonedirector
...As explained above, the corresponding FQDN will be used as default redirection page for Guest, captive portal (or) Zero-IT activation - authentication process.".
Potentially, I could add the IP address of the ZoneDirector to the public issued wildcard certificate as a SAN field to overcome this issue, but that is not possible because private IP addresses can not be added as SAN fields to public CA issued certificates.
What do you recommend i.e. how do other companies handle this situation ?
Thank you.
As per expected behaviour, Hotspot users are redirected to the ZoneDirector, however the redirect still results in an SSL error stating that the URL does not match the CN of the ZD's certificate. This is because the redirect is using the ZoneDirector's IP address and not the fully qualified domain name
This seems contrary to information in the article:
https://support.ruckuswireless.com/articles/000001638:
'...After installing the CA signed SSL certificate on the Zonedirector, a common name(CN) (or) Fully qualified domain name(FQDN) will be associated with the Zonedirector. This requires accessing the web user-interface of the Zonedirector using this FQDN. Alternatively, we can also use the Subjective Alternative Name(SAN:IP/DNS) to access the Zonedirector. However, this depends on the information filled while generating the Certificate request from the Zonedirector
...As explained above, the corresponding FQDN will be used as default redirection page for Guest, captive portal (or) Zero-IT activation - authentication process.".
Potentially, I could add the IP address of the ZoneDirector to the public issued wildcard certificate as a SAN field to overcome this issue, but that is not possible because private IP addresses can not be added as SAN fields to public CA issued certificates.
What do you recommend i.e. how do other companies handle this situation ?
Thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2019 12:45 PM
Hello, how do other ZoneDirector hotspot users handle this issue ?
Any comments welcome. Thank you.
Any comments welcome. Thank you.
Labels
-
DHCP
1 -
IP lease
1 -
license snmp
1 -
Proposed Solution
1 -
Ruckus
1 -
server
1 -
VLAN
1 -
w
1 -
wap
1 -
zone director
1 -
ZoneDirector
1
