Web authentication and SSL problem (HSTS)

LALU
LALU Posts: 7
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Hi, i have configured a USG 1900 with web authentication.
Clients connected to hotspot be prompted with the following message when want to see a HTTPS website and it is not possible to continue browsing.

Instead, when the clients enter an HTTP site, he is correctly redirected to the USG authentication page.

Firmware: V 4.33 (AAPL0) 2019-01-09

Message in firefox


Message on Chrome




I tried to change the Logout IP  under Web Portal General Setting from 1.1.1.1 to 10.1.1.1 and the message for HTTPS request change: now I can proceed pressing on the "Open Network Login Page" button.
Obviously it is not a solution and can not remain that way.


Is it a known bug?
Is Zyxel already working on it?
Is there a workaround?

Thank you
Regards
Luca

All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @LALU
    Regarding to this case,
    You need to import the certificate (export from USG )to PC and browser.
    After that clean the browser cache and check it again.
    The attached document as your reference.
    Charlie
  • LALU
    LALU Posts: 7
    First Anniversary Friend Collector First Comment
    @Zyxel_Charlie
    thank you, but is not a solution.

    This gateway manages the access of a public Wi-Fi network with about 1000-1500 registered users, I can not pass every device of the customers to configure the certificate.
    The curious thing is that with the UAG 5100 there is no this problem.

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @LALU
    Regarding to this case,
    if you enable SSL Inspection, you need to import the certificate of USG to PC since each device which support SSL inspection need to do the same way to avoid this behavior.

    However, if you do not enable SSL Inspection, and the issue still occur, can you go to WWW> to Disable Redirect HTTP to HTTPs (since the function on UAG5100 is disable by default )

    Charlie
  • dpipro
    dpipro Posts: 64  ZCNE Certified
    First Anniversary ZCNE Switch Level 1 Certification - 2020 ZCNE Nebula Level 1 Certification - 2020 ZCNE Security Level 1 Certification - 2019
    Hello Charlie,

    I have the same issue with a ZUSG40W. I follow all the instructions and the configuration works only for android devices. Windows, MAC OS and iPhone can't get the User Aggreement screen and can't access internet. We got a Bad request screen:


    Any ideas?

    ZyWALL USG40W
    F/W Rev 4.33(AALB.0)

    Thank you.

    Best regards,
    Fernando
    Best regards
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @dpipro

    In the usual, client will redirect to login page automatically when connecting to WiFi.

    Can you make sure “Force User Authentication” function is enabled in Webauth first.


    If authentication page not pop on your phone, you can try to access HTTP website to verify it.

    e.g. http://www.yahoo.jp

    Then it should able redirect login page to you.

Security Highlight