Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 1498 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Captive Portal - SFOS 18.5.0 GA-Build264

Marco Camacho1

Hi

We having an XGS2300 (SFOS 18.5.0 GA-Build264) and captive portal is configured for all user who wish to access the internet.

Redirection to portal works but,:

  1. No confirmation the users is authenticated and the original page requested is not opened in the captive portal window, but if you open new window or tab then works.
  2. Once authenticated https sites do not load.If we switch off match known users etc then https works. There is no web filter policy at all at present



This thread was automatically locked due to age.
Parents
  • 0

    Ok so upgrade to SFOS 19.0.0 GA-Build317 issues I had on captive portal are now resolved but I have another problem.

    If a user requests HTTPS site they are re-directed to captive portal, they authenticate but then the page originally requested shows invalid certificate and they cannot continue. I can't install certs on all devices as there a literally over a 100 devices as well as guests.

    Doesn't matter what OS or browser they all have the same issue. 

    So for now match known users is off.

  • 0 in reply to Marco Camacho2

    Hey ,

    Thank you for the update, ensure if you are using a captive portal authentication you must have a plain FW rule LAN to WAN with only DNS service allowed !! 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Marco Camacho2

    Can you move the LAN to WAN just below the Allow DNS rule?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Done and will revert when tested but I do think the LAN - WAN was below it before.

  • 0 in reply to Marco Camacho2

    Hi Marco Camacho2 

    As per your current firewall rules, all LAN user traffic is passing from rule id #5 and it is a plain/bypass firewall rule now the user will have access to the internet without authentication and security.

    Hope you have a valid license on Sophos XG to use all Security features 

    If you want to authenticate users you can use the Captive Portal Page or CAA client to be installed on the end System or you can configure STAS, where no Captive Portal or CAA client is required to install, and clientless users, are required to be configured to authenticate users/devices(such as printer, IP Phone) and on firewall rule, you have to tick mark "Match known users" on the firewall rule for authentication to work.

    Browsers don’t trust Sophos IP,to resolve Default CA need to install. You can push certificate at once to all windows systems with AD sever some system or devices required manual installation or  try to check Sophos Network Agent for challenging devices like mobile device and CAA or STAS for windows systems and Clientless user for  printer or IP phone

    Try to check the issue and requirement with the Latest firmware is available: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    We have  a mixed environment of Apple, Linux and windows. Also we have contractors who access our LAN not the guest network so I can't be installing CA on all theses devices. Is there no way to use captive portal without installing CA?

  • 0 in reply to Marco Camacho2

    Hi  Marco Camacho2 

    There is no other way with HTTPS but you can get a captive portal page on HTTP with no certificate error with a captive portal which is not recommended in case of security and HTTS required certificate needs to install in the end system or device on LAN.

    Please tick mark "Use insecure HTTP instead of HTTPS and try 

    Make sure you clear the cache and history of the browser in case not working properly. 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Marco Camacho2

    Hi  Marco Camacho2 

    There is no other way with HTTPS but you can get a captive portal page on HTTP with no certificate error with a captive portal which is not recommended in case of security and HTTS required certificate needs to install in the end system or device on LAN.

    Please tick mark "Use insecure HTTP instead of HTTPS and try 

    Make sure you clear the cache and history of the browser in case not working properly. 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Children
Unfiltered HTML