https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4657570#M244514 <P>Hello,<BR />I'm using the Cisco Catalyst 9800-CL Wireless Controller, with Web Auth and captive portal. The captive portal is hosted on an external server, within my network, with https.</P><P>on some devices, when I try to access the internet, I am redirected to the captive portal, using https, as it should.<BR />However, in some cases I am redirected to portals like detectportal.firefox and gstatic.com (depending on browser) , which use http (no security).<BR />Is there any way to force the use of the correct portal, ie the portal with https?</P><P>Thank you in advance for your help</P> Tue, 26 Jul 2022 13:21:19 GMT Bolivar 2022-07-26T13:21:19Z https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4657570#M244514 <P>Hello,<BR />I'm using the Cisco Catalyst 9800-CL Wireless Controller, with Web Auth and captive portal. The captive portal is hosted on an external server, within my network, with https.</P><P>on some devices, when I try to access the internet, I am redirected to the captive portal, using https, as it should.<BR />However, in some cases I am redirected to portals like detectportal.firefox and gstatic.com (depending on browser) , which use http (no security).<BR />Is there any way to force the use of the correct portal, ie the portal with https?</P><P>Thank you in advance for your help</P> Tue, 26 Jul 2022 13:21:19 GMT https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4657570#M244514 Bolivar 2022-07-26T13:21:19Z https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4657598#M244516 <P>&nbsp;</P> <P>&nbsp;- For starters have a&nbsp;<SPAN>&nbsp; r</SPAN>eview the 9800-CL&nbsp; configuration with the CLI command :<SPAN>&nbsp;</SPAN><FONT color="#008000">show&nbsp; tech<STRONG><U><SPAN>&nbsp;</SPAN>wireless</U></STRONG></FONT><SPAN>&nbsp;</SPAN>, have the output <STRONG>analyzed</STRONG> by&nbsp;<SPAN>&nbsp;</SPAN><A href="https://cway.cisco.com/tools/WirelessAnalyzer/" target="_blank" rel="noopener nofollow noreferrer" data-saferedirecturl="https://www.google.com/url?q=https://cway.cisco.com/tools/WirelessAnalyzer/&amp;source=gmail&amp;ust=1658930767336000&amp;usg=AOvVaw33eA07Gq5hsb-7UR4xuchX">https://cway.cisco.com/<WBR />tools/WirelessAnalyzer/</A>&nbsp; , please note do not use classical<FONT color="#FF0000"><SPAN>&nbsp;</SPAN>show tech-support</FONT><SPAN>&nbsp;</SPAN>(short version) , use the command denoted in green for Wireless Analyzer</P> <P>&nbsp;M.</P> Tue, 26 Jul 2022 14:07:08 GMT https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4657598#M244516 Mark Elsen 2022-07-26T14:07:08Z https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4657668#M244526 <P>Thanks for the tip. I found and fixed some bugs, as well as adjusting some best practice tips.<BR />However, nothing related to the problem I'm facing</P> Tue, 26 Jul 2022 15:44:02 GMT https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4657668#M244526 Bolivar 2022-07-26T15:44:02Z https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4657685#M244529 <P>&nbsp;</P> <P>&nbsp; &nbsp;- Make sure the destination portal offers (secure) http<U><STRONG><FONT color="#008000">s</FONT></STRONG></U>&nbsp; access as default , and or disable<FONT color="#FF0000"> simple http</FONT> access (<EM>if configured)</EM></P> <P>&nbsp;M.</P> Tue, 26 Jul 2022 16:19:52 GMT https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4657685#M244529 Mark Elsen 2022-07-26T16:19:52Z https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4657702#M244530 <P>The external captive portal page is configured to operate with https. It is an apache server. That part is working without problems.</P><P>I noticed that the problem occurs in two cases:</P><P><BR />1st when the captive portal "default" (detectportal.firefox or gstatic.com) is opened in the browser, with http;</P><P><BR />2nd when the user tries to access a website with https, before authentication. In this case, the request is forwarded to Cisco's default captive portal, from wlc controller, without https.</P><P>When trying to access any website that uses http, I am correctly redirected to the secure captive portal (external with https)</P><P>Here at the institution, we have a WLC 5500 series, which works correctly for all cases. Besides the version, another difference is that the older wireless cisco controller is physical while the new one (wlc 9800) is virtualized (KVM).</P> Tue, 26 Jul 2022 17:01:37 GMT https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4657702#M244530 Bolivar 2022-07-26T17:01:37Z https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4658691#M244573 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1355998">@Bolivar</a>&nbsp;please clarify?<BR />You say it does NOT work for <STRONG>http</STRONG> captive portal requests to&nbsp;<SPAN>detectportal.firefox or gstatic.com but then you say "When trying to access any website that uses <STRONG>http</STRONG>, <STRONG>I am correctly redirected</STRONG> to the secure captive portal (external with https)" which contradicts that!<BR />Is your apache server using a valid public certificate with matching fully qualified domain name?<BR />Does your WLC also have a valid DNS name and cert installed?</SPAN></P> <P><SPAN>Note that http URLs for captive portal detection and redirection are the ONLY way to reliably trigger a captive portal redirection without security/cert warnings or outright failure as some OS/browsers will now block invalid https redirects altogether without any warning.&nbsp; That is the industry standard now, used by all major browsers and OS on all devices.&nbsp; Trying to block that will break the service or at least make it a horrible experience for most users.</SPAN></P> Wed, 27 Jul 2022 16:48:47 GMT https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4658691#M244573 Rich R 2022-07-27T16:48:47Z https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4658807#M244582 <P>Thanks for your reply.</P><P>"Is your apache server using a valid public certificate with matching fully qualified domain name?"<BR />Yes, the certificate was signed by the same CA of other services that we already use in the institution.</P><P>"Does your WLC also have a valid DNS name and cert installed?"<BR />Yup. Registered in the institutional DNS server</P><P>When I try to access an http page, I am correctly redirected to the captive secure portal page. On the other hand, in some cases, where the access attempt (before authentication) is performed through a website with https (example: <A href="https://www.google.com" target="_blank">https://www.google.com</A>), I am redirected to detectportal.firefox or gstatic.com .</P><P>To work around this problem, I added a static page, which has the sole purpose of forcing redirection to another page with http. On the other hand, when being redirected to a non-secure page (with http) the WLC manages to redirect me to the correct captive portal (with https).</P><P>Here in Brazil, we call this type of procedure a "gambiarra". I believe in English it's "jerry-rig"</P> Wed, 27 Jul 2022 21:30:33 GMT https://community.cisco.com/t5/wireless/wlc-9800-detectportal-firefox-and-gstatic-com-without-https/m-p/4658807#M244582 Bolivar 2022-07-27T21:30:33Z