Captive Portal

I noticed that all HTTPS websites are not redirected to Captive Portal login page. HTTP is always working, but HTTPS get a browser timeout error. (tested on multiple OS with multiple browsers)

This is a known problem ? This is solved by activating the SSL on m0n0wall ?

This is a known limitation.  The reason is that you can not just jump into an https session... (Certificates complain and all that)  So you have to do an http session before anything else will work.

Thank you for your help ! But this is annoying, because we've a majority of Mac client that used Safari. And this browser uses https as default Google search engine.

Yes, it is a real pain, but it is a limitation of the https protocol, not captive portal.  Any redirect would have an invalid certificate, and send up a big warning in the browser.  You think you get support calls now... 

Sure, but I prefer that works with a warning rather that doesn't work. Now we're using a portal that shows use the certificate warning.

There is a ways to reverse this ?

This is how https is intended to work.  The entire point of the ssl certificates is to prevent a man in the middle attack, which is essentially what captive portal is doing.

The workaround is to use a GPO to push out the certificate of your proxy to all of the clients.

This is how https is intended to work.  The entire point of the ssl certificates is to prevent a man in the middle attack, which is essentially what captive portal is doing.

I'm not sure to understand how it's dangerous for MITM attacks to allow https?

The workaround is to use a GPO to push out the certificate of your proxy to all of the clients.

I can't this is a guest SSID only and I don't manage computers in this side of my network.

If you want to intercept SSL in any captive firewall you will have a certificate issue.  the only way around this is to install a special cert that trusts the captive firewall into all users machines.

but, think about your local coffee shop or airport , they don't do this, what happens there, do you have to go to a non ssl site first ? .

OS X has features where it will attempt to discover a captive portal (don't have one to test) , I Assume this should work ?

This is how https is intended to work.  The entire point of the ssl certificates is to prevent a man in the middle attack, which is essentially what captive portal is doing.

I'm not sure to understand how it's dangerous for MITM attacks to allow https?

You go to https://www.google.com and I redirect you to my page.  Now my certificate does not say www.google.com, which is what your browser is expecting, so it coughs up an error.  The is the behavior ssl is supposed to have, as it prevents website spoofing unless you have a certificate signed by a widely accepted root authority.

Thanks you for your help.

OS X has features where it will attempt to discover a captive portal (don't have one to test) , I Assume this should work ?

That's true, now I understand the concept of this feature. As I know Windows 8 purposes this function to and will probably be a standard in the next years.

The is the behavior ssl is supposed to have, as it prevents website spoofing unless you have a certificate signed by a widely accepted root authority.

That's true, now I understand. Thanks again.