Now that browsers are enforcing this for HSTS enabled websites and this directly affects captive portal redirection, I am curious to find out how you are dealing with it?
as mentioned in another thread i don't see how HSTS comes into play here. redirecting HTTPS has always been problematic i believe, HSTS just makes it harder.
[EDIT] oh i do see a scenario now, you go to your favorite website which used to be HTTP based but is not HTTPS with HSTS, is that it?
We first encountered this while testing, prior to rolling out our captive portal... Once a guest had connected to the ssid, and opened up a browser, if the browser happened to be requesting a https site, which has using hsts, the captive portal would not appear. We were actually seeing cert errors where the client was trying to validate the site agains our domain server cert. Try a http sit, and boom.. captive portal appeared.
Force of habit, we always try google.com when launching abrowser, and couldnt understand why we were not getting the portal, the same also for yahoo.com, and thought the prob was with the controller not hijacking https sites properly - then we learned of the hsts issue.
Ive tried to add these known sites to the capriveportal whitelist, but this hasnt helped, although Im not seeing any traffic attempting to leave our firewall, but am thinking this may be down to the way the pre-auth role is wokring, so I need to do further testing. I dont even know if this will fix it... but worth a go, as until this issues is resolved by Aruba, Im not sure we can role this out...
Thanks for the clarification...
I had been told by Aruba TAC that they would be working on a way to make HSTS sites work with CP, but perhaps the person I was dealing with disnt fully understand the complexitiies of the issue, and as you say, it cant be managed by Aruba so other machanisms must be implemented. I had been advised to add them to whitelist them as a workaround. TAC had been looking into this issue for us for several weeks and I had had many remote sessions, and it was only when I referred back to a post on these forms about HSTS, di they then confirm this problem. Could have save several weeks of to-ing and fro-ing if this had been mentioned first!
"What needs to happen here is that you need to let the devices behave the way they should, therefore with Apple, the CNA will appear, with Android there will be a popup that appears in the drawer at the top, for Windows laptops, you will see a bubble appear in the lower right hand corner. With Chrome, if you navigate to an https enabled website and it detects a captive portal, a new tab is opened which redirects the user to something like gstatic.com which uses port 80 to trigger the captive portal."
Yes, any of these would be great, but nne of this happens for us, so I need to look into why. Makes sense now why Windows devices were working!
Time for more testing!
With a home page set to www.google.com (HSTS)
On iOS, when joining Guest network CNA doesnt appear, safari just moans about no conneciton to secure server, and chrome does the same and comlains about connection not being private, in either case you cant carry on.
Android does the same as iOS with no option to accept error and continue.
Whilst the windows devices work, depening on course on what OS/IE you have, the majoriity of users will be using iOS or Android... so at the moment, this is a big stumbling block for us.
Whilst this does only affect devices that try to connect to a hsts website upon connecting to the portal, which, unless your homepage is set to google.com or other hsts site, could be a small amount of users, it could be difficult to publicise information on what to do. We were simply hoping that people would either discover the Guest network, or staff could tall them if asked, without too much assistance.
Seems somewhat odd that this issues doesnt affect onboarding.. I can connect to the SSID and if I try to browse to google/yahoo (as previously tried on Guest CP, which failed due to hsts), the Onboarding portal kicks in... So why does this bit work, yet the Guest CP doesnt?
that is quite odd, your onboard page does start on https?
you are sure there isn't some caching happening or such?
only way to be sure is to do some packetcaputures or save the http information to check what happens.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.