Hello, for those of you who are using the ZoneDirector 'Hotspot Services' feature:
- with my Hotspot setup, when users are redirected to the initial 'Login Page on my third party server - they logon and THEN they are very briefly redirected to:':9998 This throws an SSL error because understandably the client does not have the ZoneDirector root CA cert installed. Do you guys also see this brief redirect to ':9998 ?
This is the expected behavior for Hotspot services.
The Access Point sniffs incoming packets on Hotspot enabled WLAN/SSID and, if the client has not already authenticated, forwards any packets with https port 443 to the Zone director .
The Zone Director replies back with a http 302 re-direct message that is forwarded by the AP to the client browser indicating the location of the Hotspot login page. Since this message is https and is sent from the Zone Director it includes SSL encapsulation using the Zone Directors certificate. If the Zone Director Certificate is not signed by a Well Known Certficate Agency (CA) then the client device web server will warn the user that the page being sent was not verified.
To avoid this SSL error you need to upload a certificate to the Zone Director signed by a Well Known CA (the usual suspects) or upload the Zone Directors public key to all client devices.
Hello, as per your recommendation, I have installed a 'Well Known Certficate Agency (CA)' signed certificate to resolve this issue. As per expected behaviour, Hotspot users are redirected to the ZoneDirector, however the redirect still results in an SSL error stating that the URL does not match the CN of the ZD's certificate. This is because the redirect is using the ZoneDirector's IP address and not the fully qualified domain name This seems contrary to information in the article:
https://support.ruckuswireless.com/articles/000001638: '...After installing the CA signed SSL certificate on the Zonedirector, a common name(CN) (or) Fully qualified domain name(FQDN) will be associated with the Zonedirector. This requires accessing the web user-interface of the Zonedirector using this FQDN. Alternatively, we can also use the Subjective Alternative Name(SAN:IP/DNS) to access the Zonedirector. However, this depends on the information filled while generating the Certificate request from the Zonedirector ...As explained above, the corresponding FQDN will be used as default redirection page for Guest, captive portal (or) Zero-IT activation - authentication process.".
Potentially, I could add the IP address of the ZoneDirector to the public issued wildcard certificate as a SAN field to overcome this issue, but that is not possible because private IP addresses can not be added as SAN fields to public CA issued certificates.
What do you recommend i.e. how do other companies handle this situation ?