Wireless Water Cooler

Reply
MVP
Posts: 1,399
Registered: ‎10-25-2011

How are you all dealing with HSTS?

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

http://www.chromium.org/hsts

 

Now that browsers are enforcing this for HSTS enabled websites and this directly affects captive portal redirection, I am curious to find out how you are dealing with it?

 

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
MVP
Posts: 1,399
Registered: ‎10-25-2011

Re: How are you all dealing with HSTS?

No one uses captive portals?? :)
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: How are you all dealing with HSTS?

as mentioned in another thread i don't see how HSTS comes into play here. redirecting HTTPS has always been problematic i believe, HSTS just makes it harder.

 

[EDIT] oh i do see a scenario now, you go to your favorite website which used to be HTTP based but is not HTTPS with HSTS, is that it?

Regular Contributor I
Posts: 182
Registered: ‎03-22-2013

Re: How are you all dealing with HSTS?

We first encountered this while testing, prior to rolling out our captive portal...   Once a guest had connected to the ssid, and opened up a browser, if the browser happened to be requesting a https site, which has using hsts, the captive portal would not appear.  We were actually seeing cert errors where the client was trying to validate the site agains our domain server cert.  Try a http sit, and boom.. captive portal appeared.  

 

Force of habit, we always try google.com when launching abrowser, and couldnt understand why we were not getting the portal, the same also for yahoo.com, and thought the prob was with the controller not hijacking https sites properly  -  then we learned of the hsts issue.  

 

Ive tried to add these known sites to the capriveportal whitelist, but this hasnt helped, although Im not seeing any traffic attempting to leave our firewall, but am thinking this may be down to the way the pre-auth role is wokring, so I need to do further testing.  I dont even know if this will fix it... but worth a go, as until this issues is resolved by Aruba, Im not sure we can role this out...

MVP
Posts: 1,399
Registered: ‎10-25-2011

Re: How are you all dealing with HSTS?

This is not an Aruba issue, unfortunately this is the way it is. We are also struggling with this and you cannot hijack the https request and deliver a captive portal. You can but that would be illegal I believe.

What needs to happen here is that you need to let the devices behave the way they should, therefore with Apple, the CNA will appear, with Android there will be a popup that appears in the drawer at the top, for Windows laptops, you will see a bubble appear in the lower right hand corner. With Chrome, if you navigate to an https enabled website and it detects a captive portal, a new tab is opened which redirects the user to something like gstatic.com which uses port 80 to trigger the captive portal.

These mechanisms are available to users so they must be taught and educated to use them and not dismiss them.

If you add sites to a whitelist you are simply masking the problem.

Each browser behaves differently and either uses the HSTS list or does not but https redirect is the same for all, you will get a certificate error.
For example, IE 11 on Windows 7 does not implement the HSTS list, therefore if you navigate to www.facebook.com, you will get a certificate error and you will be allowed to proceed. With Chrome, you will not.
Windows 10 changes that for IE.

I hope this helps in your understanding
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Regular Contributor I
Posts: 182
Registered: ‎03-22-2013

Re: How are you all dealing with HSTS?

[ Edited ]

Thanks for the clarification...  

 

I had been told by Aruba TAC that they would be working on a way to make HSTS sites work with CP, but perhaps the person I was dealing with disnt fully understand the complexitiies of the issue, and as you say, it cant be managed by Aruba so other machanisms must be implemented.  I had been advised to add them to whitelist them as a workaround.  TAC had been looking into this issue for us for several weeks and I had had many remote sessions, and it was only when I referred back to a post on these forms about HSTS, di they then confirm this problem.  Could have save several weeks of to-ing and fro-ing if this had been mentioned first!

 

"What needs to happen here is that you need to let the devices behave the way they should, therefore with Apple, the CNA will appear, with Android there will be a popup that appears in the drawer at the top, for Windows laptops, you will see a bubble appear in the lower right hand corner. With Chrome, if you navigate to an https enabled website and it detects a captive portal, a new tab is opened which redirects the user to something like gstatic.com which uses port 80 to trigger the captive portal."

 

Yes, any of these would be great, but nne of this happens for us, so I need to look into why.   Makes sense now why Windows devices were working! 

 

 

Time for more testing!

 

With a home page set to www.google.com (HSTS)

 

On iOS, when joining Guest network CNA doesnt appear, safari just moans about no conneciton to secure server, and chrome does the same and comlains about connection not being private, in either case you cant carry on.  

 

Android does the same as iOS with no option to accept error and continue.

 

Whilst the windows devices work, depening on course on what OS/IE you have, the majoriity of users will be using iOS or Android... so at the moment, this is a big stumbling block for us.

 

Whilst this does only affect devices that try to connect to a hsts website upon connecting to the portal, which, unless your homepage is set to google.com or other hsts site, could be a small amount of users, it could be difficult to publicise information on what to do.  We were simply hoping that people would either discover the Guest network, or staff could tall them if asked, without too much assistance. 

 

Cheers

 

Regular Contributor I
Posts: 182
Registered: ‎03-22-2013

Re: How are you all dealing with HSTS?

Seems somewhat odd that this issues doesnt affect onboarding..  I can connect to the SSID and if I try to browse to google/yahoo (as previously tried on Guest CP, which failed due to hsts), the Onboarding portal kicks in...  So why does this bit work, yet the Guest CP doesnt?

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: How are you all dealing with HSTS?

that is quite odd, your onboard page does start on https?

 

you are sure there isn't some caching happening or such?

 

only way to be sure is to do some packetcaputures or save the http information to check what happens.

Search Airheads
Showing results for 
Search instead for 
Did you mean: