Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Hotspot redirect does not work when using HTTPS

Thu Jul 14, 2016 9:52 am

why?
I understand that the hotspot "stop" this 
but is there any way to redirect all traffic before connecting the hotspot from port 443 to port 80 ?
so it will give the users the login page ?

I see there is a rule the hotspot create 
chain=hotspot protocol=tcp Dst. Port=443 hotspot=local-dst acation=redirect To-ports=64875
but when I try to enter but https - I don't see any packet , stay on 0 
so what can I do ?
Thanks , 
 
agnostic
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Fri Mar 21, 2014 8:23 pm

Re: Hotspot redirect does not work when using HTTPS

Thu Jul 14, 2016 12:40 pm

first of all you need create a self signed certificate from System->Certificates menu (search forum how to create) then you need to enable hotspot https login by Ip->Hotspot->Sever profiles->{your profile}-> Login and chech https and below select your self signed certificate you just made.
Congratulations you now can access hotspot by https and redirect from any visited page (https) but with a nasty browser warning because thats the way it works. no other way neither redirecting to http works. no browser allows it any more.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: Hotspot redirect does not work when using HTTPS

Thu Jul 14, 2016 1:01 pm

do I have to do all it said here - http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates

this is what I did - 
/certificate add name=tamplate common-name=myCa key-usage=key-cert-sign,crl-sign
/certificate sign tamplate ca-crl-host=192.168.100.254 name=myCa                
/certificate set myCa trusted=yes
/certificate export-certificate myCa 
/certificate print                
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 #          NAME                            COMMON-NAME                          SUBJECT-ALT-NAME                                                       FINGERPRINT                         
 0 K L A  T myCa                            myCa                                                                                                        3cd7b4a08bc9ff9c4b7e0f2......
 1   name="hsprof1" hotspot-address=192.168.100.254 dns-name="David.Test" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=https,http-pap 

     ssl-certificate=myCa split-user-domain=no use-radius=no 

and when I try I get error 
"the connection is not private"  
NET:ERR_CERT_AUTHORITY_INVALID
and it doesn't give an option to continue 
what do I need to do now?

Thanks ,
 
agnostic
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Fri Mar 21, 2014 8:23 pm

Re: Hotspot redirect does not work when using HTTPS

Thu Jul 14, 2016 1:19 pm

unfortunately all browsers have hardened https mismatches and wont allow continue to sites. the best way is to disable https login and then redirect will only work without https prefix on browser. on windows 7 and newer connecting to hotspots will trigger a popup informing you that you must provide additional details to connect to network and sometimes poping up automatically default browser to login but for this to work you must have your browser start page not to https so it will redirect instantly to hotspot login without problem. if you have clients for your hotspot instruct them to change their browser start page to http instead of https.
 
agnostic
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Fri Mar 21, 2014 8:23 pm

Re: Hotspot redirect does not work when using HTTPS

Thu Jul 14, 2016 1:22 pm

forgot to mention that login with http chap and MAC cookie combined is better because some smartphones or tablets wont work properly otherwise.
 
fleroviumheron424
just joined
Posts: 1
Joined: Tue Jul 19, 2016 9:37 am

Re: Hotspot redirect does not work when using HTTPS

Tue Jul 19, 2016 9:39 am

forgot to mention that login with http chap and MAC cookie combined is better because some smartphones or tablets wont work properly otherwise.
You're right

Who is online

Users browsing this forum: Bing [Bot], cldmgzn, Google [Bot] and 55 guests