Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 994 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall and BYOD WiFi on VLAN in a school

Jeremy Woodham

New install of XG Firewall in a UK school and I am really struggling to get the Capture Portal to work on IOS and Android devices.

  • It works for Windows devices, as soon as I connect to the network, a logon window appears (not the sophos one) and I can authenticate and browse the internet.
  • On IOS when connected to the WiFi it gets an IP on the correct VLAN, however the Capture Portal does not appear, it will only appear if we browse to it in safari or chrome. Once logged in, I can access the internet with no issues
  • Android pops up a certificate error page, again if I get to the portal by typing in the URL it works. I have purchased a globally signed certificate but still fails if HTTPS is on or off

Sophos support have spent most of the week on it, to finally tell me that I need to get a certificate for the IP address and not the URL, or install the client. The Client is not an option for over 1000 students and 90+ staff.

If I was to get another certificate, what do I need and which IP address do I use? Or is there a another solution?

I am desperate for a solution and under huge pressure to get this resolved ASAP.

Thanks



This thread was automatically locked due to age.
  • 0

    So essentially clients should do the redirect to the portal. But this can break, if the certificate of the website is not valid/trusted. Therefore you should make sure, the redirect of the Captive Portal is reachable and has a valid cert. You can decide in Admin settings, if you use a URL or a IP for this. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for the reply, we do have a certificate for the URL, which has a green tick to say it is verified. It is also Globally signed by RapisSSL.

    When we browse internally to the URL via HTTPS on a windows device, IOS or Android it loads with no errors and the certificate is valid.

    The admins settings for the portal as below... 

  • 0 in reply to Jeremy Woodham

    That is the not the admin settings. 

    Check: 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Sorry, I thought you meant the Authentication page, I have checked the main admin settings as well and looks correct...

  • 0 in reply to Jeremy Woodham

    And this hostname, you are using. Is this the hostname, somebody can publicly resolve? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ah, right, support didn't tell me that.

    Back to square one!

    Thanks

  • 0 in reply to Jeremy Woodham

    Let me put something in perspective: 

    You are using a Hostname for the firewall and the firewall is using a Certificate for this hostname. 

    Let say: XG.customer.local

    if a client connects to your firewall, it will do the check to get the captive portal. If this resolves to XG.customer.local, it will ask the DNS (which could be the firewall or not). The IP will be resolved and connected to. 

    In case of connection, the firewall will use the hostname, the client was provided. So you could have a problem here. Internal DNS is not resolving to the original IP. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for staying with me on this, I really appreciate it as this is outside of my understanding, but I have setup the following.

    The firewall is know internally as XG.int.domain.com (int is our internal sub domain and not externally resolved)

    The Firewall has two internal IPs Corporate - 10.0.0.XX1, WiFi 10.0.40.xx1, both IPs are resolved internally via internal DNS

    The external IP does not resolve to that url. 

    The CSR was made with the two internal IPs and the internal URL.

    So would the best practice be that I need to rename it to XG.domain.com, create a new CSR for the two internal IPs and the external IP, and add the host name to the internal DNS for the two internal IPs?

Unfiltered HTML