Country/Region

Wireless portal authentication prompts insecure connection

2022-03-22 01:52:05 Published
  • 0 Followed
  • 0Collected ,1288Browsed
Zhoutian

Network Topology

Typical Networking for Portal Authentication


Problem Description

The site is deployed in the wireless Portal networking mode, and adopts the certificate server method for authentication. After the network is set up, it is found that after importing the certificate CA file on some client computers, use the default browser, or the MAC computer firefox device to access the network, the computer will prompt Insecure connection, there is a security access risk!

Process Analysis

Check configuration:

2-2  Import certificate         

[AP21-LIB-2FWLC]pki domain importdomain      

[AP21-LIB-2FWLC-pki-domain-importdomain]undo crl check enable        

[AP21-LIB-2FWLC-pki-domain-importdomain]public-key rsa signature name sign encryption name encr

[AP21-LIB-2FWLC-pki-domain-importdomain] quit

[AP21-LIB-2FWLC]pki import domain importdomain pem ca filename root_ca.cer

[AP21-LIB-2FWLC]pki import domain importdomain pem local filename ap21-lib2fwlc.sp.toyaku.ac.jpv2.cer      

2-3   Apply server certificate to HTTPS pages               

[AP21-LIB-2FWLC] ssl server-policy myssl   

[AP21-LIB-2FWLC-ssl-server-policy-myssl] pki-domain importdomain      

[AP21-LIB-2FWLC-ssl-server-policy-myssl] quit  

[AP21-LIB-2FWLC] undo ip https enable      

[AP21-LIB-2FWLC] undo ip http enable        

[AP21-LIB-2FWLC] ip https ssl-server-policy myssl      

[AP21-LIB-2FWLC] ip https enable        

[AP21-LIB-2FWLC] ip http enable 

[AP21-LIB-2FWLC] undo portal local-web-server        

[AP21-LIB-2FWLC] portal local-web-server https ssl-server-policy myssl tcp-port 2331 

[AP21-LIB-2FWLC-portal local-web-server] default-logon-page toyakulogin.zip     

[AP21-LIB-2FWLC-portal local-web-server] tcp-port 2331

[AP21-LIB-2FWLC-portal local-web-server] quit 

 

Through wireshark capture, we can see that the client does not receive the intermediate certificate file, so the computer prompts an insecure connection.

Solution

Use the certificate-chain-sending enable command to configure the SSL server to send the complete certificate chain during SSL negotiation.

By default, during SSL negotiation, the SSL server only sends the local certificate and does not send the certificate chain.

Please rate this case:   
0 Comments

No Comments

Add Comments:

Copyright© 2025 H3C reserves all rights to the current version NO.1

The copyright of this icon belongs to H3C. It is only for the use of this community. Do not use it for commercial purposes. Anyone who violates this icon will be prosecuted